From f506ee749caa96d3bda5c6c633e701cff644a0a7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 12 Oct 2024 03:02:35 +0000 Subject: [PATCH] Update generated site files --- ...dx => acronis_cyber_protect__remotix_.mdx} | 8 +- website/pages/tools/isl_online.mdx | 2 +- .../tools/itsupport247__connectwise_.mdx | 2 +- .../n-able_advanced_monitoring_agent.mdx | 4 +- website/pages/tools/netsupport_manager.mdx | 4 +- website/public/api/rmm_tools.csv | 508 +- website/public/api/rmm_tools.json | 10904 ++++++++-------- website/public/rmm_tools_table.csv | 484 +- 8 files changed, 5958 insertions(+), 5958 deletions(-) rename website/pages/tools/{acronic_cyber_protect__remotix_.mdx => acronis_cyber_protect__remotix_.mdx} (88%) diff --git a/website/pages/tools/acronic_cyber_protect__remotix_.mdx b/website/pages/tools/acronis_cyber_protect__remotix_.mdx similarity index 88% rename from website/pages/tools/acronic_cyber_protect__remotix_.mdx rename to website/pages/tools/acronis_cyber_protect__remotix_.mdx index 4a00b2e3..85c0a027 100644 --- a/website/pages/tools/acronic_cyber_protect__remotix_.mdx +++ b/website/pages/tools/acronis_cyber_protect__remotix_.mdx @@ -1,15 +1,15 @@ --- -description = "Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available." -title = "Acronic Cyber Protect (Remotix)" +description = "Acronis Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available." +title = "Acronis Cyber Protect (Remotix)" --- import {Card, Badges, Details, PEMetadata, DiskArtifacts, EventLogTable, RegistryTable, OtherArtifactsTable, NetworkArtifactsTable} from "../../components/card"; import {EuiSpacer} from "@elastic/eui" -# Acronic Cyber Protect (Remotix) +# Acronis Cyber Protect (Remotix) -Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +Acronis Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. ### Details
#### Installation Paths - + diff --git a/website/pages/tools/itsupport247__connectwise_.mdx b/website/pages/tools/itsupport247__connectwise_.mdx index 75a7e65a..407424dd 100644 --- a/website/pages/tools/itsupport247__connectwise_.mdx +++ b/website/pages/tools/itsupport247__connectwise_.mdx @@ -36,7 +36,7 @@ ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. Mor #### Network Artifacts - + diff --git a/website/pages/tools/n-able_advanced_monitoring_agent.mdx b/website/pages/tools/n-able_advanced_monitoring_agent.mdx index 4497d0c9..04a06096 100644 --- a/website/pages/tools/n-able_advanced_monitoring_agent.mdx +++ b/website/pages/tools/n-able_advanced_monitoring_agent.mdx @@ -23,7 +23,7 @@ N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) too /> #### Installation Paths - + @@ -36,7 +36,7 @@ N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) too #### Network Artifacts - + diff --git a/website/pages/tools/netsupport_manager.mdx b/website/pages/tools/netsupport_manager.mdx index 37c3a395..37b58039 100644 --- a/website/pages/tools/netsupport_manager.mdx +++ b/website/pages/tools/netsupport_manager.mdx @@ -23,7 +23,7 @@ NetSupport Manager is a remote monitoring and management (RMM) tool. More inform /> #### Installation Paths - + @@ -36,7 +36,7 @@ NetSupport Manager is a remote monitoring and management (RMM) tool. More inform #### Network Artifacts - + diff --git a/website/public/api/rmm_tools.csv b/website/public/api/rmm_tools.csv index a0874d4d..976db8a5 100644 --- a/website/public/api/rmm_tools.csv +++ b/website/public/api/rmm_tools.csv @@ -1,284 +1,284 @@ Name,Category,Description,Author,Created,LastModified,Website,Filename,OriginalFileName,PEDescription,Product,Privileges,Free,Verification,SupportedOS,Capabilities,Vulnerabilities,InstallationPaths,Artifacts,Detections,References,Acknowledgement -LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool""}]",,[] -Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zabbix Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zabbix Agent RMM tool""}]",https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] -Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Senso.cloud RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Senso.cloud RMM tool""}]",https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] -I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml"", ""Description"": ""Detects potential network activity of I'm InTouch RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of I'm InTouch RMM tool""}]",https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] -RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of RustDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RustDesk RMM tool""}]",https://rustdesk.com/docs/en/,[] -Electric AI (Kaseya),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,[] -ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZOC RMM tool""}]",,[] -Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml"", ""Description"": ""Detects potential network activity of Any Support RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Any Support RMM tool""}]",https://www.anysupport.net/introduce_howto.php,[] -PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of PDQ Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PDQ Connect RMM tool""}]",https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] -Pcnow,,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mwcliun.exe, pcnmgr.exe, webexpcnow.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""au.pcmag.com/utilities/21470/webex-pcnow""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcnow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcnow RMM tool""}]",http://pcnow.webex.com/ - DOA as of 2024,[] -Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Seetrol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Seetrol RMM tool""}]",http://www.seetrol.com/en/features/features3.php,[] -CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CarotDAV RMM tool""}]",,[] -Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml"", ""Description"": ""Detects potential network activity of Goverlan RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Goverlan RMM tool""}]",https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] -OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml"", ""Description"": ""Detects potential network activity of OptiTune RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OptiTune RMM tool""}]",https://www.bravurasoftware.com/optitune/support/faq.aspx,[] -EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml"", ""Description"": ""Detects potential network activity of EMCO Remote Console RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of EMCO Remote Console RMM tool""}]",,[] -N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] -Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tailscale RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tailscale RMM tool""}]",https://tailscale.com/kb/1023/troubleshooting,[] -Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pilixo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pilixo RMM tool""}]",https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] -Remote Desktop Manager (Devolutions),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] -Alpemix,,"Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml"", ""Description"": ""Detects potential network activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml"", ""Description"": ""Detects potential files activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Alpemix RMM tool""}]",https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml"", ""Description"": ""Detects potential network activity of Auvik RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Auvik RMM tool""}]",https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] -Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tactical RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tactical RMM RMM tool""}]",docs.tacticalrmm.com,[] -MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool""}]",https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] -Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Comodo RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Comodo RMM RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller RMM tool""}]",,[] -NordLocker,,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml"", ""Description"": ""Detects potential network activity of OCS inventory RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OCS inventory RMM tool""}]",https://ocsinventory-ng.org/?page_id=878&lang=en,[] -GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml"", ""Description"": ""Detects potential network activity of GotoHTTP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GotoHTTP RMM tool""}]",https://gotohttp.com/goto/help.12x,[] -Terminals,,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml"", ""Description"": ""Detects potential network activity of RPort RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RPort RMM tool""}]",https://kb.rport.io/using-the-remote-access,[] +DeskNets,,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://www.desknets.com/en/download.html,[] CentraStage (Now Datto),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"CagService.exe, AEMAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rmm.datto.com"", ""*cc.centrastage.net"", ""datto.com/au/products/rmm/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml"", ""Description"": ""Detects potential network activity of CentraStage (Now Datto) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CentraStage (Now Datto) RMM tool""}]",https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] -CruzControl,,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://resources.doradosoftware.com/cruz-rmm,[] -Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Mikogo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Mikogo RMM tool""}]",https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] -mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml"", ""Description"": ""Detects potential network activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml"", ""Description"": ""Detects potential files activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mRemoteNG RMM tool""}]",https://github.com/mRemoteNG/mRemoteNG,[] -LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml"", ""Description"": ""Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}]",,[] -ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenMeet RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenMeet RMM tool""}]",https://docs.screenmeet.com/docs/firewall-white-list,[] -RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of RES Automation Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RES Automation Manager RMM tool""}]",https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] -Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Anyplace Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Anyplace Control RMM tool""}]",http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] -TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TightVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TightVNC RMM tool""}]",https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] -LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml"", ""Description"": ""Detects potential network activity of LiteManager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LiteManager RMM tool""}]",https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] -Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sophos-Remote Management System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sophos-Remote Management System RMM tool""}]",community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] -ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ManageEngine RMM tool""}]",,[] -Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop Remote RMM tool""}]",https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] -rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdp2tcp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdp2tcp RMM tool""}]",github.com/V-E-O/rdp2tcp,[] -Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Cloud RMM tool""}]",https://jumpcloud.com/support/understand-remote-assist-agent,[] +RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteView RMM tool""}]",https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] +Quest KACE Agent (formerly Dell KACE),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,konea.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kace.com"", ""www.quest.com/kace/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}]",https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function,[] +FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDesk.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDesk.io RMM tool""}]",https://fleetdeck.io/faq/,[] RuDesktop,,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rd.exe, rudesktop*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rudesktop.ru"", ""rudesktop.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of RuDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RuDesktop RMM tool""}]",https://rudesktop.ru,[] -LogMeIn,,"LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn RMM tool""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -SmartFTP,,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\SmartFTP Client\en-US\, *\SmartFTP Client\*, *\SfShellTools.dll.mui","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, *\ISLLight.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] +MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] +Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Supremo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Supremo RMM tool""}]",https://www.supremocontrol.com/frequently-asked-questions/,[] +Alpemix,,"Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml"", ""Description"": ""Detects potential network activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml"", ""Description"": ""Detects potential files activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Alpemix RMM tool""}]",https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +Bitvise SSH Server,,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Bitvise SSH Server\*, *\Bitvise SSH Server\*, *\BvSshServer-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Server RMM tool""}]",,[] +SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SmarTTY RMM tool""}]",,[] +KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of KHelpDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KHelpDesk RMM tool""}]",https://www.khelpdesk.com.br/en-us,[] Pocket Cloud (Wyse),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcloud*.exe, pocketcloudservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Cloud (Wyse) RMM tool""}]",https://wyse-pocketcloud.informer.com/2.1/,[] -Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml"", ""Description"": ""Detects potential network activity of Guacamole RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Guacamole RMM tool""}]",guacamole.apache.org,[] -LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of LANDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LANDesk RMM tool""}]",https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] -pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of pcAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pcAnywhere RMM tool""}]",https://en.wikipedia.org/wiki/PcAnywhere,[] -mstsc,,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Windows\System32\mstsc.exe, *Windows\System32\mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mstsc RMM tool""}]",,[] -FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeNX RMM tool""}]",,[] -PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC (Clone) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC (Clone) RMM tool""}]",https://www.poweradmin.com/paexec/,[] -SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of SpyAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SpyAnywhere RMM tool""}]",https://www.spyanywhere.com/support.shtml,[] -MultCloud,,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"requires sign up, requires sign up","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of Visual Studio Dev Tunnel RMM tool""}]",https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] -Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xpra RMM tool""}]",,[] -Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Apps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal Apps RMM tool""}]",https://www.royalapps.com/ts/win/download,[] -eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml"", ""Description"": ""Detects potential network activity of eHorus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of eHorus RMM tool""}]",,[] -SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperPuTTY RMM tool""}]",,[] -ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml"", ""Description"": ""Detects potential network activity of ZeroTier RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZeroTier RMM tool""}]",https://my.zerotier.com/,[] -Devolutions Remote Desktop Manager,,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeAnyWhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeAnyWhere RMM tool""}]",https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] -WebEx (Remote Access),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,[] -AnyDesk,RMM,"AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams. -","Ali Alwashali, Nasreddine Bencherchali",2023-09-29,2024-10-06,https://anydesk.com/en,anydesk.exe,AnyDesk.exe,AnyDesk,AnyDesk,User,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows","File Transfer, File System Access, Remote Control, GUI Support, Command line Support",https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html,"C:\Program Files (x86)\AnyDesk\*, C:\Program Files\AnyDesk\*","{""Disk"": [{""File"": ""%programdata%\\AnyDesk\\ad_svc.trace"", ""Description"": ""AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established."", ""OS"": ""Windows"", ""Example"": [""info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798""]}, {""File"": ""%programdata%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\ad.trace"", ""Description"": ""AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant."", ""OS"": ""Windows"", ""Example"": [""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30)."", ""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0.""]}, {""File"": ""%APPDATA%\\AnyDesk\\chat\\*.txt"", ""Description"": ""If the chat functionality is used, its entries will be printed in a text file in this folder."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\user.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\service.conf"", ""Description"": ""Password can be set to auto-validate the session. The password will be saved in a salted hash format."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\service.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""~/Library/Application Support/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Mac""}, {""File"": ""~/.config/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Linux""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""During setup the boot.net.anydesk.com domain is request over port 443"", ""Domains"": [""boot.net.anydesk.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""relay-[a-f0-9]{8}.net.anydesk.com:443""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.anydesk.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""User-Agent"", ""Value"": ""AnyDesk/*""}, {""Type"": ""NamedPipe"", ""Value"": ""adprinterpipe""}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml"", ""Description"": ""Anydesk Remote Access Software Service Installation""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"", ""Description"": ""Remote Access Tool - AnyDesk Silent Installation""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml"", ""Description"": ""Detects potential files activity of AnyDesk RMM tool""}]","https://support.anydesk.com/knowledge/firewall, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk, https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Ali Alwashali"", ""Handle"": ""@ali_alwashali""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -Free Ping Tool,,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"can't find this one, can't find this one","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of S3 Browser RMM tool""}]",,[] -NinjaOne (formerly NinjaRMM),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,*ProgramData\NinjaRMMAgent\*,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Adobe Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Adobe Connect RMM tool""}]",https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] -RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePC RMM tool""}]",https://www.remotedesktop.com/helpdesk/faq-firewall,[] +AliWangWang-remote-control,,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,alitask.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""wangwang.taobao.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml"", ""Description"": ""Detects potential network activity of AliWangWang-remote-control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AliWangWang-remote-control RMM tool""}]",https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,[] +TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml"", ""Description"": ""Detects potential network activity of TurboMeeting RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TurboMeeting RMM tool""}]",http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] +BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] +Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Absolute (Computrace) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Absolute (Computrace) RMM tool""}]",https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] +Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Impero Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Impero Connect RMM tool""}]",,[] +Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer (GoToMeet) RMM tool""}]",Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] +Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml"", ""Description"": ""Detects potential network activity of Goverlan RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Goverlan RMM tool""}]",https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] +RAdmin,,"RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml"", ""Description"": ""Detects potential files activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RAdmin RMM tool""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Client RMM tool""}]",,[] +GoToAssist (GoTo Resolve),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramFiles*\GoTo Machine Installer\*, *\GoTo Machine Installer\*, *\GoTo\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] LogMeIn rescue,,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.logmeinrescue.com"", ""*.logmeinrescue.eu"", ""logmeinrescue.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn rescue RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LogMeIn rescue RMM tool""}]",https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,[] -UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraViewer RMM tool""}]",https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] -Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pandora RC (eHorus) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pandora RC (eHorus) RMM tool""}]",https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] -IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of IntelliAdmin Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of IntelliAdmin Remote Control RMM tool""}]",intelliadmin.com/remote-control,[] -MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MEGAsync RMM tool""}]",,[] -Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Encapto RMM tool""}]",https://www.encapto.com - used to manage Cisco services,[] -ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of ShowMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ShowMyPC RMM tool""}]",https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] -Lite Manager,,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\LiteManager Pro – Viewer\*, *\LiteManager Pro – Viewer\*, *\LMNoIpServer.exe.","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Splashtop (Beta),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"SRServer.exe, SplashtopSOS.exe, Splashtop_Streamer_Windows*.exe, SRManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop (Beta) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop (Beta) RMM tool""}]",,[] +GoToAssist Agent Desktop Console,,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\G2RDesktopConsole-x64.msi, *\G2RDesktopConsole-x64.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ConnectWise,,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect*Client*\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] Netop Remote Control (aka Impero Connect),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com/impero-connect/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool""}]",,[] -GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToAssist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoToAssist RMM tool""}]",https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] -Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom Connect RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] -TeamViewer,,"TeamViewer is a remote monitoring and management (RMM) tool. -","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml"", ""Description"": ""Detects potential files activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeamViewer RMM tool""}]","https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop Remote RMM tool""}]",https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] +Chrome SSH Extension,,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*, *Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] Access Remote PC,,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"rpcgrab.exe, rpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Access Remote PC RMM tool""}]",,[] -SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SecureCRT RMM tool""}]",,[] -Acronic Cyber Protect (Remotix),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml"", ""Description"": ""Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool""}]",https://kb.acronis.com/content/47189,[] -Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sorillus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sorillus RMM tool""}]",https://sorillus.com/,[] -Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml"", ""Description"": ""Detects potential network activity of Barracuda RMM tool""}]",https://help.islonline.com/19799/166125,[] -DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskDay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskDay RMM tool""}]",https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] -RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteCall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteCall RMM tool""}]",https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] -Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml"", ""Description"": ""Detects potential files activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop RMM tool""}]",https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" -ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of ManageEngine RMM Central RMM tool""}]",,[] -AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of AeroAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AeroAdmin RMM tool""}]",https://support.aeroadmin.com/kb/faq.php?id=58,[] -NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml"", ""Description"": ""Detects potential network activity of NoMachine RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoMachine RMM tool""}]",https://kb.nomachine.com/AR04S01122,[] +N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"BASupSrvc.exe, winagent.exe, BASupApp.exe, BASupTSHelper.exe, Agent_*_RW.exe, BASEClient.exe, BASupSrvcCnfg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beanywhere.com "", ""systemmonitor.co.uk"", ""*system-monitor.com"", ""cloudbackup.management"", ""*systemmonitor.co.uk"", ""n-able.com"", ""systemmonitor.us"", ""*systemmonitor.eu.com"", ""*.logicnow.com"", ""*.swi-tc.com"", ""*remote.management"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""remote.management"", ""logicnow.com"", ""system-monitor.com"", ""*systemmonitor.us"", ""systemmonitor.eu.com"", ""*.n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool""}]",https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] +Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller RMM tool""}]",,[] +Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pilixo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pilixo RMM tool""}]",https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] +Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Iperius Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Iperius Remote RMM tool""}]",https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] +Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] +Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Total Software Deployment RMM tool""}]",,[] +Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Apple Remote Desktop RMM tool""}]",https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] +Free Ping Tool,,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"can't find this one, can't find this one","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml"", ""Description"": ""Detects potential network activity of LiteManager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LiteManager RMM tool""}]",https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] +NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, client32.exe, pcicfgui.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""geo.netsupportsoftware.com"", ""netsupportmanager.com"", ""*.netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Weezo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Weezo RMM tool""}]",weezo.en.softonic.com,[] +Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml"", ""Description"": ""Detects potential network activity of Centurion RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Centurion RMM tool""}]",https://data443.atlassian.net/servicedesk/customer/portal/20,[] UltraVNC,,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,UltraVNC*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ultravnc.com"", ""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraVNC RMM tool""}]",https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] -NinjaRMM,,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ninjarmmagent.exe, NinjaRMMAgent.exe, NinjaRMMAgenPatcher.exe, ninjarmm-cli.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ninjarmm.com"", ""*.ninjaone.com"", ""resources.ninjarmm.com"", ""ninjaone.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of NinjaRMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NinjaRMM RMM tool""}]",https://www.ninjaone.com/faq/,[] -ngrok,,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ngrok.exe, C:\*\ngrok.zip, *\ngrok*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ngrok.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml"", ""Description"": ""Detects potential network activity of ngrok RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ngrok RMM tool""}]",https://ngrok.com/docs/guides/running-behind-firewalls/,[] -Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Client RMM tool""}]",,[] +TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TightVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TightVNC RMM tool""}]",https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] +ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of ToDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ToDesk RMM tool""}]",https://www.todesk.com/,[] +GoToMyPC,,"GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml"", ""Description"": ""Detects potential files activity of GoToMyPC RMM tool""}]","https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" +Neturo,,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"neturo*.exe, ntrntservice.exe, neturo.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""neturo.uplus.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Neturo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Neturo RMM tool""}]","Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",[] +GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToAssist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoToAssist RMM tool""}]",https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] +DameWare,,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"SolarWinds-Dameware-DRS*.exe, DameWare Mini Remote Control*.exe, C:\Windows\dwrcs\* + c:\Program File\SolarWinds\Dameware Mini Remote Control\*, dntus*.exe, dwrcs.exe, *\dwrcs\*, *\dwrcst.exe, DameWare Remote Support.exe, SolarWinds-Dameware-MRC*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""dameware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Dameware-mini remote control Protocol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DameWare RMM tool""}]",https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,[] +OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml"", ""Description"": ""Detects potential network activity of OptiTune RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OptiTune RMM tool""}]",https://www.bravurasoftware.com/optitune/support/faq.aspx,[] Chicken (of the VNC),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://github.com/flit/cotvnc,[] -SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml"", ""Description"": ""Detects potential network activity of SkyFex RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SkyFex RMM tool""}]",https://skyfex.com/,[] -Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom AccessNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom AccessNow RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] -Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] -Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Server RMM tool""}]",https://royalapps.com/server/main/features,[] -Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Solar-PuTTY RMM tool""}]",,[] -Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Duplicati RMM tool""}]",,[] +UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraViewer RMM tool""}]",https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] +Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml"", ""Description"": ""Detects potential network activity of Barracuda RMM tool""}]",https://help.islonline.com/19799/166125,[] +Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Senso.cloud RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Senso.cloud RMM tool""}]",https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] +Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml"", ""Description"": ""Detects potential network activity of Any Support RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Any Support RMM tool""}]",https://www.anysupport.net/introduce_howto.php,[] Remote Desktop Plus,,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""donkz.nl""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Desktop Plus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Desktop Plus RMM tool""}]",https://www.donkz.nl/,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] -DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of DesktopNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DesktopNow RMM tool""}]",https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] -Remmina,,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml"", ""Description"": ""Detects potential files activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop RMM tool""}]",https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remcos RMM tool""}]",,[] +SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of SpyAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SpyAnywhere RMM tool""}]",https://www.spyanywhere.com/support.shtml,[] Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ddsystem.exe, dd.exe, distant-desktop.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] -DameWare,,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"SolarWinds-Dameware-DRS*.exe, DameWare Mini Remote Control*.exe, C:\Windows\dwrcs\* - c:\Program File\SolarWinds\Dameware Mini Remote Control\*, dntus*.exe, dwrcs.exe, *\dwrcs\*, *\dwrcst.exe, DameWare Remote Support.exe, SolarWinds-Dameware-MRC*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""dameware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Dameware-mini remote control Protocol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DameWare RMM tool""}]",https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,[] -Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level RMM tool""}]",,[] -Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Insync RMM tool""}]",,[] -ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] -Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote.it RMM tool""}]",https://docs.remote.it/introduction/get-started,[] -Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netreo RMM tool""}]",https://solutions.netreo.com/docs/firewall-requirements,[] -NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoteOn-desktop sharing RMM tool""}]",,[] -Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal TS RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal TS RMM tool""}]",,[] -DeskNets,,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://www.desknets.com/en/download.html,[] -QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml"", ""Description"": ""Detects potential network activity of QQ IM-remote assistance RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of QQ IM-remote assistance RMM tool""}]",https://en.wikipedia.org/wiki/Tencent_QQ,[] -PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PuTTY Tray RMM tool""}]",,[] -XRDP,,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of FastViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FastViewer RMM tool""}]",https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] -Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Jump Desktop RMM tool""}]",https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] -Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ivanti Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ivanti Remote Control RMM tool""}]",https://rc1.ivanticloud.com/,[] -BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeInSync RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeInSync RMM tool""}]",https://en.wikipedia.org/wiki/Phoenix_Technologies,[] -NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of NateOn-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NateOn-desktop sharing RMM tool""}]",http://rsupport.nate.com/rview/r8/main/index.aspx,[] -Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml"", ""Description"": ""Detects potential network activity of Xeox RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xeox RMM tool""}]",https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] -WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WinSCP RMM tool""}]",,[] -DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] -NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of NTR Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NTR Remote RMM tool""}]",DOA as of 2024,[] -TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml"", ""Description"": ""Detects potential network activity of TurboMeeting RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TurboMeeting RMM tool""}]",http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] -RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteUtilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteUtilities RMM tool""}]",,[] +Acronis Cyber Protect (Remotix),,Acronis Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml"", ""Description"": ""Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool""}]",https://kb.acronis.com/content/47189,[] Pulseway,,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"PCMonitorManager.exe, pcmonitorsrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pulseway.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pulseway RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pulseway RMM tool""}]",https://intercom.help/pulseway/en/,[] -Panorama9,,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,p9agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""trusted.panorama9.com"", ""changes.panorama9.com"", ""panorama9.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml"", ""Description"": ""Detects potential network activity of Panorama9 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Panorama9 RMM tool""}]",https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with,[] -Atera,,"Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement. -",,2024-08-03,2024-10-06,https://www.atera.com/,AteraAgent.exe,AteraAgent.exe,AteraAgent,,SYSTEM,30 day trial,None,"Windows, MacOS, Linux","Integrated remote access with Splashtop and AnyDesk, Remote monitoring and management, Patch management, Network discovery, Backup and disaster recovery, Helpdesk and ticketing, Reporting and analytics, Billing and invoicing, Customer portal, Mobile app","CVE-2023-26078, CVE-2023-26077","*\AgentPackageNetworkDiscovery.exe, *\AgentPackageTaskScheduler.exe, *\ATERA Networks\AteraAgent\*, *\AteraAgent.exe, atera_agent.exe, atera_agent.exe, ateraagent.exe, C:\Program Files\ATERA Networks\AteraAgent\*, C:\Program Files\Atera Networks, C:\Program Files (x86)\Atera Networks, syncrosetup.exe","{""Disk"": [{""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Atera Networks\\AlphaAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AteraAgent"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"""", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""WinRing0_1_2_0"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"""", ""Description"": ""Service installation event as result of Atera pakcage manager installation.""}, {""EventID"": 11707, ""ProviderName"": ""MsiInstaller"", ""LogFile"": ""Application.evtx"", ""Data"": ""Product: AteraAgent -- Installation completed successfully."", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]"", ""Description"": ""Service installation event as result of AteraAgent installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent"", ""Description"": null}, {""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc."", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\*"", ""Description"": null}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""pubsub.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""pubsub.pubnub.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreporting.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""getalphacontrol.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""app.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agenthb.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""packagesstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.pndsn.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agent-api.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""cacerts.thawte.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreportingstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera-agent-heartbeat.servicebus.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera.pubnubapi.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""appcdn.atera.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml"", ""Name"": ""AteraAgent malicious installations"", ""Description"": ""Detects AteraAgent installations with suspicious command line arguments.""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml"", ""Name"": ""Atera Agent Installation"", ""Description"": ""Detects Atera Agent installation.""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml"", ""Description"": ""Detects potential network activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml"", ""Description"": ""Detects potential files activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Atera RMM tool""}]","https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations, https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent, https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018, https://thedfirreport.com/?s=ateraagent","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}, {""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -JollysFastVNC,,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml"", ""Description"": ""Detects potential network activity of RunSmart RMM tool""}]",,[] -Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] -Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer (GoToMeet) RMM tool""}]",Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] -Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netviewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer RMM tool""}]",,[] -ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] -ExtraPuTTY,,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *\ExtraPuTTY-0.30-2016-01-28-installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExtraPuTTY RMM tool""}]",,[] -FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDesk.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDesk.io RMM tool""}]",https://fleetdeck.io/faq/,[] -HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpU RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpU RMM tool""}]",https://helpu.co.kr/,[] -ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of ToDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ToDesk RMM tool""}]",https://www.todesk.com/,[] -RAdmin,,"RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml"", ""Description"": ""Detects potential files activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RAdmin RMM tool""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -CrossLoop,,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"crossloopservice.exe, CrossLoopConnect.exe, WinVNCStub.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.crossloop.com"", ""crossloop.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossLoop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossLoop RMM tool""}]",www.CrossLoop.com -> redirects to avast.com,[] -Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml"", ""Description"": ""Detects potential network activity of Centurion RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Centurion RMM tool""}]",https://data443.atlassian.net/servicedesk/customer/portal/20,[] -KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml"", ""Description"": ""Detects potential network activity of KickIdler RMM tool""}]",https://www.kickidler.com/for-it/faq/,[] -Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syncro RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncro RMM tool""}]",https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] -AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay RMM tool""}]",https://sun.aweray.com/help,[] -SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml"", ""Description"": ""Detects potential network activity of SunLogin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SunLogin RMM tool""}]",https://sunlogin.oray.com/en/embed/software.html,[] -Koofr,,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SysAid RMM tool""}]",,[] -Neturo,,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"neturo*.exe, ntrntservice.exe, neturo.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""neturo.uplus.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Neturo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Neturo RMM tool""}]","Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",[] -SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SmarTTY RMM tool""}]",,[] -Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Impero Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Impero Connect RMM tool""}]",,[] -247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool""}]",Similar / replaced by ScreenConnect,[] -Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remobo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remobo RMM tool""}]",https://www.remobo.com - DOA as of 2024,[] -Free Tools Launcher,,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\*, *\ManageEngine\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Echoware RMM tool""}]",,[] +TeamViewer,,"TeamViewer is a remote monitoring and management (RMM) tool. +","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml"", ""Description"": ""Detects potential files activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeamViewer RMM tool""}]","https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" Zoho Assist,,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zaservice.exe, ZMAgent.exe, C:\*\ZA_Access.exe, ZohoMeeting.exe, Zohours.exe, zohotray.exe, ZohoURSService.exe, *\ZA_Access.exe, Zaservice.exe, za_connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.zoho.com.au"", ""*.zohoassist.jp"", ""assist.zoho.com"", ""zoho.com/assist/"", ""*.zoho.in"", ""downloads.zohodl.com.cn"", ""*.zohoassist.com"", ""downloads.zohocdn.com"", ""gateway.zohoassist.com"", ""*.zohoassist.com.cn"", ""*.zoho.com.cn"", ""*.zoho.com"", ""*.zoho.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zoho Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zoho Assist RMM tool""}]",https://www.zoho.com/assist/kb/firewall-configuration.html,[] -KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KiTTY RMM tool""}]",,[] -SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of SimpleHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SimpleHelp RMM tool""}]",https://simple-help.com/remote-support,[] -CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of CloudFlare Tunnel RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudFlare Tunnel RMM tool""}]",cloudflare.com/products/tunnel/,[] -GoTo Opener,,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\GoTo Opener, *\GoTo Opener","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcvisit RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcvisit RMM tool""}]",https://www.pcvisit.de/,[] -Mocha VNC Lite,,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"This installs a modified VNC and cannot be blocked by path separate from VNC, This installs a modified VNC and cannot be blocked by path separate from VNC, *\RealVNC\VNC4\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Gold RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Gold RMM tool""}]",wen.laplink.com/product/laplink-gold,[] -Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Iperius Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Iperius Remote RMM tool""}]",https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] -BeamYourScreen,,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"beamyourscreen.exe, beamyourscreen-host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beamyourscreen.com"", ""*.beamyourscreen.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeamYourScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeamYourScreen RMM tool""}]",beamyourscreen redirects to https://www.mikogo.com/,[] -TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeleDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeleDesktop RMM tool""}]",http://potomacsoft.com/ - DOA as of 2024,[] -Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml"", ""Description"": ""Detects potential network activity of Parallels Access RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Parallels Access RMM tool""}]",https://kb.parallels.com/en/129097,[] -Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml"", ""Description"": ""Detects potential network activity of Basecamp RMM tool""}]",basecamp.com - No specific RMM tool listed,[] -Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Weezo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Weezo RMM tool""}]",weezo.en.softonic.com,[] -X2Go,,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://wiki.x2go.org/doku.php,[] -Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml"", ""Description"": ""Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool""}]",,[] +HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpU RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpU RMM tool""}]",https://helpu.co.kr/,[] +NinjaOne (formerly NinjaRMM),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,*ProgramData\NinjaRMMAgent\*,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of ezHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ezHelp RMM tool""}]",https://www.exhelp.co.kr,[] +LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool""}]",,[] +FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeNX RMM tool""}]",,[] +DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DragonDisk RMM tool""}]",,[] +Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of Desktop Central RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Desktop Central RMM tool""}]",,[] +Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Encapto RMM tool""}]",https://www.encapto.com - used to manage Cisco services,[] +ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] +Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Jump Desktop RMM tool""}]",https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] +MyGreenPC,,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,mygreenpc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*mygreenpc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyGreenPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyGreenPC RMM tool""}]",http://www.mygreenpc.com/,[] +CruzControl,,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://resources.doradosoftware.com/cruz-rmm,[] Connectwise Automate (LabTech),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.hostedrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml"", ""Description"": ""Detects potential network activity of Connectwise Automate (LabTech) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Connectwise Automate (LabTech) RMM tool""}]",https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,[] -Splashtop (Beta),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"SRServer.exe, SplashtopSOS.exe, Splashtop_Streamer_Windows*.exe, SRManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop (Beta) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop (Beta) RMM tool""}]",,[] -Netop,,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Danware Data\NetOp Packn Deploy\*, *\Danware Data\NetOp Packn Deploy\*, *\Netop Remote Control\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Kaseya (VSA),,"Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml"", ""Description"": ""Detects potential network activity of Kaseya (VSA) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml"", ""Description"": ""Detects potential files activity of Kaseya (VSA) RMM tool""}]","https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] -HelpBeam,,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,helpbeam*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpbeam.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpBeam RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpBeam RMM tool""}]",https://www.helpbeam.com domain for sale in 2024,[] -Quest KACE Agent (formerly Dell KACE),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,konea.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kace.com"", ""www.quest.com/kace/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}]",https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function,[] +NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoteOn-desktop sharing RMM tool""}]",,[] +Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml"", ""Description"": ""Detects potential network activity of Basecamp RMM tool""}]",basecamp.com - No specific RMM tool listed,[] +DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of DesktopNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DesktopNow RMM tool""}]",https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] DeskShare,,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"TeamTaskManager.exe, DSGuest.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskShare RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskShare RMM tool""}]",https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx,[] -rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdpwrap RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdpwrap RMM tool""}]",github.com/stascorp/rdpwrap,[] -Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Total Software Deployment RMM tool""}]",,[] -PuTTY,,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RDPView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RDPView RMM tool""}]",systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] -Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml"", ""Description"": ""Detects potential network activity of Fortra RMM tool""}]",https://www.fortra.com - No free/cloud RMM softwars listed,[] -ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Light RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Light RMM tool""}]",,[] -Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool""}]",https://pulse.soti.net/support/soti-xsight/help/,[] +RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml"", ""Description"": ""Detects potential network activity of RPort RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RPort RMM tool""}]",https://kb.rport.io/using-the-remote-access,[] +SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperPuTTY RMM tool""}]",,[] GatherPlace-desktop sharing,,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gp3.exe, gp4.exe, gp5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gatherplace.com"", ""*.gatherplace.net"", ""gatherplace.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of GatherPlace-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GatherPlace-desktop sharing RMM tool""}]",https://www.gatherplace.com/kb?id=136377,[] -Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] -MeshCentral,,"MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. -",@kostastsale,2024-09-20,2024-09-20,https://meshcentral.com/,MeshAgent.exe,,MeshCentral Background Service Agent,,SYSTEM,Yes,N/A,"Windows, Linux, MacOS, FreeBSD","Remote Desktop & Terminal, Remote File Access, Text and Voice Chat, Server File Storage, Real-time User interface, Port Forwarding",CVE-2024-26135,"meshcentral*.exe, meshagent*.exe","{""Disk"": [{""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.exe"", ""Description"": ""Local MeshAgent service binary after installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.msh"", ""Description"": ""Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Mesh Agent background service"", ""ImagePath"": ""\""C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"""", ""Description"": ""Service installation event as result of MeshAgent installation.""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml"", ""Description"": ""Detects MeshAgent Command Execution via MeshCentral""}]","https://ylianst.github.io/MeshCentral/meshcentral/, https://github.com/Ylianst/MeshAgent","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] +S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of S3 Browser RMM tool""}]",,[] +NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of NTR Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NTR Remote RMM tool""}]",DOA as of 2024,[] +PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC (Clone) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC (Clone) RMM tool""}]",https://www.poweradmin.com/paexec/,[] +IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of IntelliAdmin Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of IntelliAdmin Remote Control RMM tool""}]",intelliadmin.com/remote-control,[] +N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +ngrok,,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ngrok.exe, C:\*\ngrok.zip, *\ngrok*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ngrok.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml"", ""Description"": ""Detects potential network activity of ngrok RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ngrok RMM tool""}]",https://ngrok.com/docs/guides/running-behind-firewalls/,[] +Mocha VNC Lite,,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"This installs a modified VNC and cannot be blocked by path separate from VNC, This installs a modified VNC and cannot be blocked by path separate from VNC, *\RealVNC\VNC4\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml"", ""Description"": ""Detects potential network activity of SkyFex RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SkyFex RMM tool""}]",https://skyfex.com/,[] +Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Gold RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Gold RMM tool""}]",wen.laplink.com/product/laplink-gold,[] +Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pandora RC (eHorus) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pandora RC (eHorus) RMM tool""}]",https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] +FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of FastViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FastViewer RMM tool""}]",https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] +XRDP,,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +PuTTY,,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml"", ""Description"": ""Detects potential network activity of KickIdler RMM tool""}]",https://www.kickidler.com/for-it/faq/,[] +Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tactical RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tactical RMM RMM tool""}]",docs.tacticalrmm.com,[] +FreeRDP,,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteCall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteCall RMM tool""}]",https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] +ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZOC RMM tool""}]",,[] ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-08-03,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]",https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,[] -Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] -Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tanium RMM tool""}]",https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] -Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ultra VNC RMM tool""}]",,[] -Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Manipulator System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Manipulator System RMM tool""}]",https://rmansys.ru/files/,[] -Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Domotz RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Domotz RMM tool""}]",https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] -FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe RMM tool""}]",,[] +Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Insync RMM tool""}]",,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +BeyondTrust,,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml"", ""Description"": ""Detects potential network activity of Guacamole RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Guacamole RMM tool""}]",guacamole.apache.org,[] Tanium Deploy,,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""tanium.com/products/tanium-deploy""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium Deploy RMM tool""}]",,[] -N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-ABLE Remote Access Software RMM tool""}]",,[] -Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] -AnyViewer,,"AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyViewer RMM tool""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml"", ""Description"": ""Detects potential network activity of Naverisk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Naverisk RMM tool""}]",http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] -Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Addigy RMM tool""}]",https://addigy.com/,[] -Action1,,"Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. -Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. -",@kostastsale,2024-08-03,2024-10-06,https://www.action1.com/,action1_connector.exe,,,,SYSTEM,Yes,Corporate email required although temporary email services are accepted,Windows,"Backup and disaster recovery, Billing and invoicing, Customer portal, HelpDesk and ticketing, Mobile app, Network discovery, Patch management, Remote monitoring and management, Reporting and analytics",,C:\Windows\Action1\*,"{""Disk"": [{""File"": ""C:\\Windows\\Action1\\action1_agent.exe"", ""Description"": ""Action1 service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\*"", ""Description"": ""Multiple files and binaries related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\scripts\\*"", ""Description"": ""Multiple scripts related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\rule_data\\*"", ""Description"": ""Files related to Action1 rules"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\action1_log_*.log"", ""Description"": ""Contains history, errors, system notifications. Incoming and outgoing connections."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""A1Agent"", ""ImagePath"": ""\""C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"""", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""ServiceName"": ""A1Agent"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe service"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe loggedonuser"", ""Description"": ""Executing command to get logged on user.""}], ""Registry"": [{""Path"": ""HKLM\\System\\CurrentControlSet\\Services\\A1Agent"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe"", ""Description"": ""Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Action1"", ""Description"": ""Storing its configuration settings and other relevant information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.action1.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""a1-backend-packages.s3.amazonaws.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml"", ""Description"": ""Detects potential network activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml"", ""Description"": ""Detects potential files activity of Action1 RMM tool""}]","https://www.action1.com/documentation/firewall-configuration/, https://www.action1.com/documentation/, https://twitter.com/Kostastsale/status/1646256901506605063?s=20, https://ruler-project.github.io/ruler-project/RULER/remote/Action1/","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -AliWangWang-remote-control,,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,alitask.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""wangwang.taobao.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml"", ""Description"": ""Detects potential network activity of AliWangWang-remote-control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AliWangWang-remote-control RMM tool""}]",https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,[] -FreeRDP,,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool""}]",,[] -SmartCode Web VNC,,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\TightVNC\*, *\TightVNC\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +HelpBeam,,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,helpbeam*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpbeam.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpBeam RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpBeam RMM tool""}]",https://www.helpbeam.com domain for sale in 2024,[] +CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CarotDAV RMM tool""}]",,[] +Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal TS RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal TS RMM tool""}]",,[] Onionshare,,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\OnionShare\*, *\OnionShare\*, *\onionshare*.exe, OnionShare-win*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Onionshare RMM tool""}]",,[] -Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rocket Remote Desktop RMM tool""}]",,[] -WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml"", ""Description"": ""Detects potential network activity of WebRDP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WebRDP RMM tool""}]",github.com/Mikej81/WebRDP,[] -BeyondTrust,,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml"", ""Description"": ""Detects potential network activity of SuperOps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperOps RMM tool""}]",https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] -RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePass RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePass RMM tool""}]",https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] -Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml"", ""Description"": ""Detects potential network activity of Itarian RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Itarian RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC RMM tool""}]",https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] +PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PuTTY Tray RMM tool""}]",,[] +SmartFTP,,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\SmartFTP Client\en-US\, *\SmartFTP Client\*, *\SfShellTools.dll.mui","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Kaseya (VSA),,"Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml"", ""Description"": ""Detects potential network activity of Kaseya (VSA) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml"", ""Description"": ""Detects potential files activity of Kaseya (VSA) RMM tool""}]","https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] +Free Tools Launcher,,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\*, *\ManageEngine\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SecureCRT RMM tool""}]",,[] +Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] +GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of GetScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GetScreen RMM tool""}]",https://docs.getscreen.me/self-hosted/system-requirements/,[] +mstsc,,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Windows\System32\mstsc.exe, *Windows\System32\mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mstsc RMM tool""}]",,[] Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] -ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of ezHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ezHelp RMM tool""}]",https://www.exhelp.co.kr,[] -Kabuto,,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Kabuto.App.Runner.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kabuto.io"", ""repairtechsolutions.com/kabuto/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Kabuto RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Kabuto RMM tool""}]",https://www.repairtechsolutions.com/documentation/kabuto/,[] -Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Synergy RMM tool""}]",https://symless.com/synergy,[] -ConnectWise,,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect*Client*\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] TigerVNC,,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"tigervnc*.exe, winvnc4.exe, C:\Program Files\TightVNC\*, *\TightVNC\*, *\tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TigerVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TigerVNC RMM tool""}]",https://github.com/TigerVNC/tigervnc/releases,[] -GoToMyPC,,"GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml"", ""Description"": ""Detects potential files activity of GoToMyPC RMM tool""}]","https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" -Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Everywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Everywhere RMM tool""}]",https://everywhere.laplink.com/docs,[] -Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syspectr RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syspectr RMM tool""}]",https://www.syspectr.com/en/installation-in-a-network,[] +Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml"", ""Description"": ""Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool""}]",,[] +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenMeet RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenMeet RMM tool""}]",https://docs.screenmeet.com/docs/firewall-white-list,[] +BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeAnyWhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeAnyWhere RMM tool""}]",https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] +Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ultra VNC RMM tool""}]",,[] +JollysFastVNC,,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] +ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ManageEngine RMM tool""}]",,[] +Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syncro RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncro RMM tool""}]",https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] Remote Utilities,,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rutview.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Utilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Utilities RMM tool""}]",https://www.remoteutilities.com/download/,[] -Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remcos RMM tool""}]",,[] -ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, *\ISLLight.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] -DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DragonDisk RMM tool""}]",,[] -RealVNC,,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Supremo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Supremo RMM tool""}]",https://www.supremocontrol.com/frequently-asked-questions/,[] -GoToAssist Agent Desktop Console,,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\G2RDesktopConsole-x64.msi, *\G2RDesktopConsole-x64.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteView RMM tool""}]",https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] -VNC Connect,,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\RealVNC\VNC Server\*, *\RealVNC\VNC Server\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncthing RMM tool""}]",,[] -KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of KHelpDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KHelpDesk RMM tool""}]",https://www.khelpdesk.com.br/en-us,[] -Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool""}]",https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] -Bitvise SSH Server,,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Bitvise SSH Server\*, *\Bitvise SSH Server\*, *\BvSshServer-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Server RMM tool""}]",,[] -Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Apple Remote Desktop RMM tool""}]",https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] -Chrome SSH Extension,,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*, *Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, client32.exe, pcicfgui.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""geo.netsupportsoftware.com"", ""netsupportmanager.com"", ""*.netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Microsoft Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft Quick Assist RMM tool""}]",https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] +Remmina,,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +CrossLoop,,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"crossloopservice.exe, CrossLoopConnect.exe, WinVNCStub.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.crossloop.com"", ""crossloop.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossLoop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossLoop RMM tool""}]",www.CrossLoop.com -> redirects to avast.com,[] ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"era.exe, einstaller.exe, ezhelp*.exe, eratool.exe, ERAAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] +Atera,,"Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement. +",,2024-08-03,2024-10-06,https://www.atera.com/,AteraAgent.exe,AteraAgent.exe,AteraAgent,,SYSTEM,30 day trial,None,"Windows, MacOS, Linux","Integrated remote access with Splashtop and AnyDesk, Remote monitoring and management, Patch management, Network discovery, Backup and disaster recovery, Helpdesk and ticketing, Reporting and analytics, Billing and invoicing, Customer portal, Mobile app","CVE-2023-26078, CVE-2023-26077","*\AgentPackageNetworkDiscovery.exe, *\AgentPackageTaskScheduler.exe, *\ATERA Networks\AteraAgent\*, *\AteraAgent.exe, atera_agent.exe, atera_agent.exe, ateraagent.exe, C:\Program Files\ATERA Networks\AteraAgent\*, C:\Program Files\Atera Networks, C:\Program Files (x86)\Atera Networks, syncrosetup.exe","{""Disk"": [{""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Atera Networks\\AlphaAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AteraAgent"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"""", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""WinRing0_1_2_0"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"""", ""Description"": ""Service installation event as result of Atera pakcage manager installation.""}, {""EventID"": 11707, ""ProviderName"": ""MsiInstaller"", ""LogFile"": ""Application.evtx"", ""Data"": ""Product: AteraAgent -- Installation completed successfully."", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]"", ""Description"": ""Service installation event as result of AteraAgent installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent"", ""Description"": null}, {""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc."", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\*"", ""Description"": null}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""pubsub.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""pubsub.pubnub.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreporting.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""getalphacontrol.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""app.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agenthb.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""packagesstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.pndsn.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agent-api.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""cacerts.thawte.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreportingstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera-agent-heartbeat.servicebus.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera.pubnubapi.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""appcdn.atera.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml"", ""Name"": ""AteraAgent malicious installations"", ""Description"": ""Detects AteraAgent installations with suspicious command line arguments.""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml"", ""Name"": ""Atera Agent Installation"", ""Description"": ""Detects Atera Agent installation.""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml"", ""Description"": ""Detects potential network activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml"", ""Description"": ""Detects potential files activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Atera RMM tool""}]","https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations, https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent, https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018, https://thedfirreport.com/?s=ateraagent","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}, {""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml"", ""Description"": ""Detects potential network activity of NoMachine RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoMachine RMM tool""}]",https://kb.nomachine.com/AR04S01122,[] +ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Light RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Light RMM tool""}]",,[] Yandex.Disk,,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Yandex\*, *\Yandex\*, *\YandexDisk2.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Yandex.Disk RMM tool""}]",,[] -N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"BASupSrvc.exe, winagent.exe, BASupApp.exe, BASupTSHelper.exe, Agent_*_RW.exe, BASEClient.exe, BASupSrvcCnfg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beanywhere.com "", ""systemmonitor.co.uk"", ""*system-monitor.com"", ""cloudbackup.management"", ""*systemmonitor.co.uk"", ""n-able.com"", ""systemmonitor.us"", ""*systemmonitor.eu.com"", ""*.logicnow.com"", ""*.swi-tc.com"", ""*remote.management"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""remote.management"", ""logicnow.com"", ""system-monitor.com"", ""*systemmonitor.us"", ""systemmonitor.eu.com"", ""*.n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of ManageEngine RMM Central RMM tool""}]",,[] +Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Seetrol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Seetrol RMM tool""}]",http://www.seetrol.com/en/features/features3.php,[] +AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay RMM tool""}]",https://sun.aweray.com/help,[] +OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml"", ""Description"": ""Detects potential network activity of OCS inventory RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OCS inventory RMM tool""}]",https://ocsinventory-ng.org/?page_id=878&lang=en,[] +GoTo Opener,,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\GoTo Opener, *\GoTo Opener","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +AnyViewer,,"AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyViewer RMM tool""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of pcAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pcAnywhere RMM tool""}]",https://en.wikipedia.org/wiki/PcAnywhere,[] +RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of RES Automation Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RES Automation Manager RMM tool""}]",https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] +Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rocket Remote Desktop RMM tool""}]",,[] +LogMeIn,,"LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn RMM tool""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Solar-PuTTY RMM tool""}]",,[] +SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml"", ""Description"": ""Detects potential network activity of SuperOps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperOps RMM tool""}]",https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] +RealVNC,,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +NordLocker,,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml"", ""Description"": ""Detects potential network activity of Auvik RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Auvik RMM tool""}]",https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] +AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of AeroAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AeroAdmin RMM tool""}]",https://support.aeroadmin.com/kb/faq.php?id=58,[] +Netop,,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Danware Data\NetOp Packn Deploy\*, *\Danware Data\NetOp Packn Deploy\*, *\Netop Remote Control\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KiTTY RMM tool""}]",,[] +Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level RMM tool""}]",,[] +CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of CloudFlare Tunnel RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudFlare Tunnel RMM tool""}]",cloudflare.com/products/tunnel/,[] +MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MEGAsync RMM tool""}]",,[] +Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xshell RMM tool""}]",,[] +Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml"", ""Description"": ""Detects potential network activity of Naverisk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Naverisk RMM tool""}]",http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] +Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Mikogo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Mikogo RMM tool""}]",https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] +PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC RMM tool""}]",https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] +RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteUtilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteUtilities RMM tool""}]",,[] +Panorama9,,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,p9agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""trusted.panorama9.com"", ""changes.panorama9.com"", ""panorama9.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml"", ""Description"": ""Detects potential network activity of Panorama9 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Panorama9 RMM tool""}]",https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with,[] +WebEx (Remote Access),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,[] +Pcnow,,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mwcliun.exe, pcnmgr.exe, webexpcnow.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""au.pcmag.com/utilities/21470/webex-pcnow""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcnow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcnow RMM tool""}]",http://pcnow.webex.com/ - DOA as of 2024,[] MyIVO,,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"myivomgr.exe, myivomanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""myivo-server.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyIVO RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyIVO RMM tool""}]",myivo.com - DOA as of 2024,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Addigy RMM tool""}]",https://addigy.com/,[] +WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WinSCP RMM tool""}]",,[] +Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netreo RMM tool""}]",https://solutions.netreo.com/docs/firewall-requirements,[] +rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdp2tcp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdp2tcp RMM tool""}]",github.com/V-E-O/rdp2tcp,[] +BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeInSync RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeInSync RMM tool""}]",https://en.wikipedia.org/wiki/Phoenix_Technologies,[] +FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe RMM tool""}]",,[] +SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml"", ""Description"": ""Detects potential network activity of SunLogin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SunLogin RMM tool""}]",https://sunlogin.oray.com/en/embed/software.html,[] VNC,,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"winvnc*.exe, vncserver.exe, winwvc.exe, winvncsc.exe, vncserverui.exe, vncviewer.exe, winvnc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""realvnc.com/en/connect/download/vnc""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of VNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of VNC RMM tool""}]",https://realvnc.com/en/connect/download/vnc,[] +MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool""}]",,[] +Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom Connect RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] +Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Synergy RMM tool""}]",https://symless.com/synergy,[] +CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossTec Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossTec Remote Control RMM tool""}]",www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] +RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml"", ""Description"": ""Detects potential network activity of RunSmart RMM tool""}]",,[] +GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml"", ""Description"": ""Detects potential network activity of GotoHTTP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GotoHTTP RMM tool""}]",https://gotohttp.com/goto/help.12x,[] +SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of SimpleHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SimpleHelp RMM tool""}]",https://simple-help.com/remote-support,[] +rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdpwrap RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdpwrap RMM tool""}]",github.com/stascorp/rdpwrap,[] +Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Everywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Everywhere RMM tool""}]",https://everywhere.laplink.com/docs,[] +Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Adobe Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Adobe Connect RMM tool""}]",https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool""}]",https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] +Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncthing RMM tool""}]",,[] +EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml"", ""Description"": ""Detects potential network activity of EMCO Remote Console RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of EMCO Remote Console RMM tool""}]",,[] ServerEye,,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"servereye*.exe, ServiceProxyLocalSys.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.server-eye.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml"", ""Description"": ""Detects potential network activity of ServerEye RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ServerEye RMM tool""}]",https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,[] +Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Anyplace Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Anyplace Control RMM tool""}]",http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] +ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of ShowMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ShowMyPC RMM tool""}]",https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] +Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Server RMM tool""}]",https://royalapps.com/server/main/features,[] +Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remobo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remobo RMM tool""}]",https://www.remobo.com - DOA as of 2024,[] +Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tailscale RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tailscale RMM tool""}]",https://tailscale.com/kb/1023/troubleshooting,[] +Electric AI (Kaseya),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,[] +Action1,,"Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. +Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. +",@kostastsale,2024-08-03,2024-10-06,https://www.action1.com/,action1_connector.exe,,,,SYSTEM,Yes,Corporate email required although temporary email services are accepted,Windows,"Backup and disaster recovery, Billing and invoicing, Customer portal, HelpDesk and ticketing, Mobile app, Network discovery, Patch management, Remote monitoring and management, Reporting and analytics",,C:\Windows\Action1\*,"{""Disk"": [{""File"": ""C:\\Windows\\Action1\\action1_agent.exe"", ""Description"": ""Action1 service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\*"", ""Description"": ""Multiple files and binaries related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\scripts\\*"", ""Description"": ""Multiple scripts related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\rule_data\\*"", ""Description"": ""Files related to Action1 rules"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\action1_log_*.log"", ""Description"": ""Contains history, errors, system notifications. Incoming and outgoing connections."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""A1Agent"", ""ImagePath"": ""\""C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"""", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""ServiceName"": ""A1Agent"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe service"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe loggedonuser"", ""Description"": ""Executing command to get logged on user.""}], ""Registry"": [{""Path"": ""HKLM\\System\\CurrentControlSet\\Services\\A1Agent"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe"", ""Description"": ""Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Action1"", ""Description"": ""Storing its configuration settings and other relevant information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.action1.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""a1-backend-packages.s3.amazonaws.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml"", ""Description"": ""Detects potential network activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml"", ""Description"": ""Detects potential files activity of Action1 RMM tool""}]","https://www.action1.com/documentation/firewall-configuration/, https://www.action1.com/documentation/, https://twitter.com/Kostastsale/status/1646256901506605063?s=20, https://ruler-project.github.io/ruler-project/RULER/remote/Action1/","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +Koofr,,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tanium RMM tool""}]",https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] +MultCloud,,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"requires sign up, requires sign up","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom AccessNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom AccessNow RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] +mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml"", ""Description"": ""Detects potential network activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml"", ""Description"": ""Detects potential files activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mRemoteNG RMM tool""}]",https://github.com/mRemoteNG/mRemoteNG,[] +eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml"", ""Description"": ""Detects potential network activity of eHorus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of eHorus RMM tool""}]",,[] +I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml"", ""Description"": ""Detects potential network activity of I'm InTouch RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of I'm InTouch RMM tool""}]",https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] +Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Comodo RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Comodo RMM RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Cloud RMM tool""}]",https://jumpcloud.com/support/understand-remote-assist-agent,[] +Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml"", ""Description"": ""Detects potential network activity of Parallels Access RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Parallels Access RMM tool""}]",https://kb.parallels.com/en/129097,[] +RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePC RMM tool""}]",https://www.remotedesktop.com/helpdesk/faq-firewall,[] +AnyDesk,RMM,"AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams. +","Ali Alwashali, Nasreddine Bencherchali",2023-09-29,2024-10-06,https://anydesk.com/en,anydesk.exe,AnyDesk.exe,AnyDesk,AnyDesk,User,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows","File Transfer, File System Access, Remote Control, GUI Support, Command line Support",https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html,"C:\Program Files (x86)\AnyDesk\*, C:\Program Files\AnyDesk\*","{""Disk"": [{""File"": ""%programdata%\\AnyDesk\\ad_svc.trace"", ""Description"": ""AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established."", ""OS"": ""Windows"", ""Example"": [""info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798""]}, {""File"": ""%programdata%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\ad.trace"", ""Description"": ""AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant."", ""OS"": ""Windows"", ""Example"": [""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30)."", ""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0.""]}, {""File"": ""%APPDATA%\\AnyDesk\\chat\\*.txt"", ""Description"": ""If the chat functionality is used, its entries will be printed in a text file in this folder."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\user.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\service.conf"", ""Description"": ""Password can be set to auto-validate the session. The password will be saved in a salted hash format."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\service.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""~/Library/Application Support/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Mac""}, {""File"": ""~/.config/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Linux""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""During setup the boot.net.anydesk.com domain is request over port 443"", ""Domains"": [""boot.net.anydesk.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""relay-[a-f0-9]{8}.net.anydesk.com:443""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.anydesk.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""User-Agent"", ""Value"": ""AnyDesk/*""}, {""Type"": ""NamedPipe"", ""Value"": ""adprinterpipe""}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml"", ""Description"": ""Anydesk Remote Access Software Service Installation""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"", ""Description"": ""Remote Access Tool - AnyDesk Silent Installation""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml"", ""Description"": ""Detects potential files activity of AnyDesk RMM tool""}]","https://support.anydesk.com/knowledge/firewall, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk, https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Ali Alwashali"", ""Handle"": ""@ali_alwashali""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RDPView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RDPView RMM tool""}]",systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] +Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Apps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal Apps RMM tool""}]",https://www.royalapps.com/ts/win/download,[] +TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeleDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeleDesktop RMM tool""}]",http://potomacsoft.com/ - DOA as of 2024,[] +RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of RustDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RustDesk RMM tool""}]",https://rustdesk.com/docs/en/,[] Rapid7,,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"ir_agent.exe, rapid7_agent_core.exe, rapid7_endpoint_broker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.analytics.insight.rapid7.com"", ""*.endpoint.ingress.rapid7.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Rapid7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rapid7 RMM tool""}]",https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,[] -GoToAssist (GoTo Resolve),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramFiles*\GoTo Machine Installer\*, *\GoTo Machine Installer\*, *\GoTo\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of GetScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GetScreen RMM tool""}]",https://docs.getscreen.me/self-hosted/system-requirements/,[] MobaXterm,,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\MobaXterm_installer_12.1.msi, *\MobaXterm_installer_*.msi, *\Mobatek\MobaXterm\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossTec Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossTec Remote Control RMM tool""}]",www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] -Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Absolute (Computrace) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Absolute (Computrace) RMM tool""}]",https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] -Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xshell RMM tool""}]",,[] -MyGreenPC,,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,mygreenpc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*mygreenpc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyGreenPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyGreenPC RMM tool""}]",http://www.mygreenpc.com/,[] +Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sophos-Remote Management System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sophos-Remote Management System RMM tool""}]",community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] -Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Microsoft Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft Quick Assist RMM tool""}]",https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] -Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of Desktop Central RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Desktop Central RMM tool""}]",,[] +Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcvisit RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcvisit RMM tool""}]",https://www.pcvisit.de/,[] +Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Domotz RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Domotz RMM tool""}]",https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] +Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] +RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePass RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePass RMM tool""}]",https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] +Devolutions Remote Desktop Manager,,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml"", ""Description"": ""Detects potential network activity of ZeroTier RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZeroTier RMM tool""}]",https://my.zerotier.com/,[] +Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zabbix Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zabbix Agent RMM tool""}]",https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] +Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sorillus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sorillus RMM tool""}]",https://sorillus.com/,[] +247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool""}]",Similar / replaced by ScreenConnect,[] +SmartCode Web VNC,,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\TightVNC\*, *\TightVNC\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of Visual Studio Dev Tunnel RMM tool""}]",https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] +LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml"", ""Description"": ""Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}]",,[] +Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote.it RMM tool""}]",https://docs.remote.it/introduction/get-started,[] +ExtraPuTTY,,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *\ExtraPuTTY-0.30-2016-01-28-installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExtraPuTTY RMM tool""}]",,[] +N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-ABLE Remote Access Software RMM tool""}]",,[] +Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ivanti Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ivanti Remote Control RMM tool""}]",https://rc1.ivanticloud.com/,[] +PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of PDQ Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PDQ Connect RMM tool""}]",https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] +X2Go,,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://wiki.x2go.org/doku.php,[] +Remote Desktop Manager (Devolutions),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] +VNC Connect,,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\RealVNC\VNC Server\*, *\RealVNC\VNC Server\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Terminals,,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Duplicati RMM tool""}]",,[] +MeshCentral,,"MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. +",@kostastsale,2024-09-20,2024-09-20,https://meshcentral.com/,MeshAgent.exe,,MeshCentral Background Service Agent,,SYSTEM,Yes,N/A,"Windows, Linux, MacOS, FreeBSD","Remote Desktop & Terminal, Remote File Access, Text and Voice Chat, Server File Storage, Real-time User interface, Port Forwarding",CVE-2024-26135,"meshcentral*.exe, meshagent*.exe","{""Disk"": [{""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.exe"", ""Description"": ""Local MeshAgent service binary after installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.msh"", ""Description"": ""Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Mesh Agent background service"", ""ImagePath"": ""\""C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"""", ""Description"": ""Service installation event as result of MeshAgent installation.""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml"", ""Description"": ""Detects MeshAgent Command Execution via MeshCentral""}]","https://ylianst.github.io/MeshCentral/meshcentral/, https://github.com/Ylianst/MeshAgent","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +BeamYourScreen,,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"beamyourscreen.exe, beamyourscreen-host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beamyourscreen.com"", ""*.beamyourscreen.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeamYourScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeamYourScreen RMM tool""}]",beamyourscreen redirects to https://www.mikogo.com/,[] +WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml"", ""Description"": ""Detects potential network activity of WebRDP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WebRDP RMM tool""}]",github.com/Mikej81/WebRDP,[] +ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] +QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml"", ""Description"": ""Detects potential network activity of QQ IM-remote assistance RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of QQ IM-remote assistance RMM tool""}]",https://en.wikipedia.org/wiki/Tencent_QQ,[] +NinjaRMM,,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ninjarmmagent.exe, NinjaRMMAgent.exe, NinjaRMMAgenPatcher.exe, ninjarmm-cli.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ninjarmm.com"", ""*.ninjaone.com"", ""resources.ninjarmm.com"", ""ninjaone.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of NinjaRMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NinjaRMM RMM tool""}]",https://www.ninjaone.com/faq/,[] +Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Echoware RMM tool""}]",,[] +DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskDay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskDay RMM tool""}]",https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] +Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xpra RMM tool""}]",,[] +Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml"", ""Description"": ""Detects potential network activity of Fortra RMM tool""}]",https://www.fortra.com - No free/cloud RMM softwars listed,[] +Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool""}]",https://pulse.soti.net/support/soti-xsight/help/,[] +LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of LANDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LANDesk RMM tool""}]",https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] +Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netviewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer RMM tool""}]",,[] +Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] +Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml"", ""Description"": ""Detects potential network activity of Xeox RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xeox RMM tool""}]",https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] +SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SysAid RMM tool""}]",,[] +Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml"", ""Description"": ""Detects potential network activity of Itarian RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Itarian RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +Kabuto,,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Kabuto.App.Runner.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kabuto.io"", ""repairtechsolutions.com/kabuto/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Kabuto RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Kabuto RMM tool""}]",https://www.repairtechsolutions.com/documentation/kabuto/,[] +Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Manipulator System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Manipulator System RMM tool""}]",https://rmansys.ru/files/,[] +NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of NateOn-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NateOn-desktop sharing RMM tool""}]",http://rsupport.nate.com/rview/r8/main/index.aspx,[] +Lite Manager,,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\LiteManager Pro – Viewer\*, *\LiteManager Pro – Viewer\*, *\LMNoIpServer.exe.","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syspectr RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syspectr RMM tool""}]",https://www.syspectr.com/en/installation-in-a-network,[] diff --git a/website/public/api/rmm_tools.json b/website/public/api/rmm_tools.json index a3aa4e46..4b558e21 100644 --- a/website/public/api/rmm_tools.json +++ b/website/public/api/rmm_tools.json @@ -1,10 +1,10 @@ [ { - "Name": "LabTeach (Connectwise Automate)", - "Description": "LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DeskNets", + "Description": "DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -18,9 +18,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ltsvc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -28,21 +26,18 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml", - "Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool" - } + "Detections": [], + "References": [ + "https://www.desknets.com/en/download.html" ], - "References": [], "Acknowledgement": [] }, { - "Name": "Zabbix Agent", - "Description": "Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CentraStage (Now Datto)", + "Description": "CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -57,7 +52,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zabbix_agent*.exe" + "CagService.exe", + "AEMAgent.exe" ] }, "Artifacts": { @@ -68,8 +64,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "zabbix.com" + "*.rmm.datto.com", + "*cc.centrastage.net", + "datto.com/au/products/rmm/" ], "Ports": [] } @@ -77,22 +74,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml", - "Description": "Detects potential network activity of Zabbix Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml", + "Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of Zabbix Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml", + "Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool" } ], "References": [ - "https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent" + "https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm" ], "Acknowledgement": [] }, { - "Name": "Senso.cloud", - "Description": "Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteView", + "Description": "RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -110,9 +107,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SensoClient.exe", - "SensoService.exe", - "aadg.exe" + "remoteview.exe", + "rv.exe", + "rvagent.exe", + "rvagtray.exe" ] }, "Artifacts": { @@ -123,8 +121,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.senso.cloud", - "senso.cloud" + "*content.rview.com", + "*.rview.com", + "content.rview.com" ], "Ports": [] } @@ -132,25 +131,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml", - "Description": "Detects potential network activity of Senso.cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml", + "Description": "Detects potential network activity of RemoteView RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml", - "Description": "Detects potential processes activity of Senso.cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteView RMM tool" } ], "References": [ - "https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration" + "https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall" ], "Acknowledgement": [] }, { - "Name": "I'm InTouch", - "Description": "I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Quest KACE Agent (formerly Dell KACE)", + "Description": "Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -165,9 +164,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iit.exe", - "intouch.exe", - "I'm InTouch Go Installer.exe" + "konea.exe" ] }, "Artifacts": { @@ -178,8 +175,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.01com.com", - "01com.com/imintouch-remote-pc-desktop" + "*.kace.com", + "www.quest.com/kace/" ], "Ports": [] } @@ -187,25 +184,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml", - "Description": "Detects potential network activity of I'm InTouch RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml", + "Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml", - "Description": "Detects potential processes activity of I'm InTouch RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml", + "Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool" } ], "References": [ - "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" + "https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function" ], "Acknowledgement": [] }, { - "Name": "RustDesk", - "Description": "RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FleetDeck.io", + "Description": "FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -220,8 +217,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rustdesk*.exe", - "rustdesk.exe" + "fleetdeck_agent_svc.exe", + "fleetdeck_commander_svc.exe", + "fleetdeck_installer.exe", + "fleetdeck_commander_launcher.exe", + "fleetdeck_agent.exe" ] }, "Artifacts": { @@ -232,9 +232,9 @@ { "Description": "Known remote domains", "Domains": [ - "rustdesk.com", - "user_managed", - "web.rustdesk.com" + "*.fleetdeck.io", + "cognito-idp.us-west-2.amazonaws.com", + "fleetdeck.io" ], "Ports": [] } @@ -242,25 +242,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml", - "Description": "Detects potential network activity of RustDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml", + "Description": "Detects potential network activity of FleetDesk.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml", - "Description": "Detects potential processes activity of RustDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml", + "Description": "Detects potential processes activity of FleetDesk.io RMM tool" } ], "References": [ - "https://rustdesk.com/docs/en/" + "https://fleetdeck.io/faq/" ], "Acknowledgement": [] }, { - "Name": "Electric AI (Kaseya)", - "Description": "Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RuDesktop", + "Description": "RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -274,7 +274,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "rd.exe", + "rudesktop*.exe" + ] }, "Artifacts": { "Disk": [], @@ -284,7 +287,8 @@ { "Description": "Known remote domains", "Domains": [ - "electric.ai" + "*.rudesktop.ru", + "rudesktop.ru" ], "Ports": [] } @@ -292,21 +296,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml", - "Description": "Detects potential network activity of Electric RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml", + "Description": "Detects potential network activity of RuDesktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of RuDesktop RMM tool" } ], "References": [ - "https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf" + "https://rudesktop.ru" ], "Acknowledgement": [] }, { - "Name": "ZOC", - "Description": "ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Online", + "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -321,32 +329,51 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\ZOC8\\*", - "*\\ZOC?\\*", - "*\\zoc.exe" + "islalwaysonmonitor.exe", + "isllight.exe", + "isllightservice.exe", + "ISLLightClient.exe", + "C:\\Program Files (x86)\\ISL Online\\ISL Light*", + "*\\ISL Online\\ISL Light*", + "*\\ISLLight.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.islonline.com", + "*.islonline.net" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml", - "Description": "Detects potential processes activity of ZOC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" } ], - "References": [], + "References": [ + "https://help.islonline.com/19818/165940" + ], "Acknowledgement": [] }, { - "Name": "Any Support", - "Description": "Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MSP360", + "Description": "MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/27/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -361,7 +388,17 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ManualLauncher.exe" + "Online Backup.exe", + "CBBackupPlan.exe", + "Cloud.Backup.Scheduler.exe", + "Cloud.Backup.RM.Service.exe", + "cbb.exe", + "CloudRaService.exe", + "CloudRaSd.exe", + "CloudRaCmd.exe", + "CloudRaUtilities.exe", + "Remote Desktop.exe", + "Connect.exe" ] }, "Artifacts": { @@ -372,7 +409,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.anysupport.net" + "*.cloudberrylab.com", + "*.msp360.com", + "*.mspbackups.com", + "msp360.com" ], "Ports": [] } @@ -380,25 +420,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml", - "Description": "Detects potential network activity of Any Support RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml", + "Description": "Detects potential network activity of MSP360 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml", - "Description": "Detects potential processes activity of Any Support RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml", + "Description": "Detects potential processes activity of MSP360 RMM tool" } ], "References": [ - "https://www.anysupport.net/introduce_howto.php" + "https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#" ], "Acknowledgement": [] }, { - "Name": "PDQ Connect", - "Description": "PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Supremo", + "Description": "Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -413,7 +453,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pdq-connect*.exe" + "supremo.exe", + "supremoservice.exe", + "supremosystem.exe", + "supremohelper.exe" ] }, "Artifacts": { @@ -424,8 +467,9 @@ { "Description": "Known remote domains", "Domains": [ - "app.pdq.com", - "cfcdn.pdq.com" + "supremocontrol.com", + "*.supremocontrol.com", + "* .nanosystems.it" ], "Ports": [] } @@ -433,79 +477,161 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml", - "Description": "Detects potential network activity of PDQ Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml", + "Description": "Detects potential network activity of Supremo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of PDQ Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml", + "Description": "Detects potential processes activity of Supremo RMM tool" } ], "References": [ - "https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements" + "https://www.supremocontrol.com/frequently-asked-questions/" ], "Acknowledgement": [] }, { - "Name": "Pcnow", - "Description": "Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", + "Name": "Alpemix", + "Description": "Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Website": "https://www.alpemix.com/en/Home", + "PEMetadata": [ + { + "Filename": "Alpemix.exe", + "OriginalFileName": "Alpemix", + "Description": "Alpemix", + "Product": "Alpemix", + "InternalName": "Alpemix" + } + ], "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "SupportedOS": [ + "Windows", + "Linux", + "Android", + "Mac", + "IOS" + ], + "Capabilities": [ + "5 Different Solutions for Remote Support", + "Access to Unattended Computers", + "Access to User Account Control (UAC) Screens", + "Add Your Own Logo", + "Auto Sizing", + "Automatic Update", + "Clipboard Transfer", + "Computer Independent Licensing", + "Contact List and Groups", + "Encrypted Communication", + "External Communication Barrier", + "File Transfer", + "Instant Messaging", + "Multi-Platform Support", + "Multiple Chat", + "Multiple Connections", + "No Port Forwarding Required", + "Peer to Peer Connection (p2p)", + "Receiving Offline Message", + "Remote Restart", + "ReportingRestricting The Authority", + "Screen Sharing", + "Sending Announcement Message", + "Sharing a certain part of the screen", + "Video Recording", + "Voice Communication", + "Who is currently supporting?", + "Working in Black Screen Mode" + ], "Vulnerabilities": [], "InstallationPaths": [ - "mwcliun.exe", - "pcnmgr.exe", - "webexpcnow.exe" + "C:\\AlpemixService.exe", + "C:\\AlpemixSrvc\\" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "%localappdata%\\Alpemix\\Alpemix.ini", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "AlpemixSrvc", + "ImagePath": "*\\Alpemix.exe servicestartxxx", + "Description": "Service installation event as result of Alpemix installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx", + "Description": "N/A" + } + ], "Network": [ { - "Description": "Known remote domains", "Domains": [ - "au.pcmag.com/utilities/21470/webex-pcnow" + "*.alpemix.com" ], - "Ports": [] + "Ports": [ + 443 + ], + "Description": "N/A" + }, + { + "Domains": [ + "*.teknopars.com" + ], + "Ports": [ + 80 + ], + "Description": "N/A" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml", - "Description": "Detects potential network activity of Pcnow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml", + "Description": "Detects potential registry activity of Alpemix RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml", - "Description": "Detects potential processes activity of Pcnow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml", + "Description": "Detects potential network activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml", + "Description": "Detects potential files activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml", + "Description": "Detects potential processes activity of Alpemix RMM tool" } ], "References": [ - "http://pcnow.webex.com/ - DOA as of 2024" + "https://www.alpemix.com/en/remote-access" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, { - "Name": "Seetrol", - "Description": "Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Bitvise SSH Server", + "Description": "Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -520,45 +646,29 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "seetrolcenter.exe", - "seetrolclient.exe", - "seetrolmyservice.exe", - "seetrolremote.exe", - "seetrolsetting.exe" + "C:\\Program Files\\Bitvise SSH Server\\*", + "*\\Bitvise SSH Server\\*", + "*\\BvSshServer-Inst.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "seetrol.co.kr" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml", - "Description": "Detects potential network activity of Seetrol RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml", - "Description": "Detects potential processes activity of Seetrol RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Server RMM tool" } ], - "References": [ - "http://www.seetrol.com/en/features/features3.php" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "CarotDAV", - "Description": "CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SmarTTY", + "Description": "SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -576,9 +686,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Rei Software\\CarotDAV\\*", - "*\\Rei Software\\CarotDAV\\*", - "*\\CarotDAV.exe" + "c:\\Program Files (x86)\\Sysprogs\\SmarTTY\\*", + "*\\Sysprogs\\SmarTTY\\*", + "*\\SmarTTY.exe" ] }, "Artifacts": { @@ -589,19 +699,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml", - "Description": "Detects potential processes activity of CarotDAV RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml", + "Description": "Detects potential processes activity of SmarTTY RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Goverlan", - "Description": "Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KHelpDesk", + "Description": "KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -616,14 +726,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "goverrmc.exe", - "govsrv*.exe", - "GovAgentInstallHelper.exe", - "GovAgentx64.exe", - "GovReachClient.exe", - "C:\\Program Files (x86)\\PJ Technologies\\GOVsrv\\*", - "*\\PJ Technologies\\GOVsrv\\*", - "*\\GovSrv.exe" + "KHelpDesk.exe" ] }, "Artifacts": { @@ -634,8 +737,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "goverlan.com" + "*.khelpdesk.com.br" ], "Ports": [] } @@ -643,25 +745,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml", - "Description": "Detects potential network activity of Goverlan RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml", + "Description": "Detects potential network activity of KHelpDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml", - "Description": "Detects potential processes activity of Goverlan RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of KHelpDesk RMM tool" } ], "References": [ - "https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf" + "https://www.khelpdesk.com.br/en-us" ], "Acknowledgement": [] }, { - "Name": "OptiTune", - "Description": "OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Cloud (Wyse)", + "Description": "Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -676,43 +778,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "OTService.exe", - "OTPowerShell.exe" + "pocketcloud*.exe", + "pocketcloudservice.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.optitune.us", - "*.opti-tune.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml", - "Description": "Detects potential network activity of OptiTune RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml", - "Description": "Detects potential processes activity of OptiTune RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool" } ], "References": [ - "https://www.bravurasoftware.com/optitune/support/faq.aspx" + "https://wyse-pocketcloud.informer.com/2.1/" ], "Acknowledgement": [] }, { - "Name": "EMCO Remote Console", - "Description": "EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AliWangWang-remote-control", + "Description": "AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -730,7 +819,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remoteconsole.exe" + "alitask.exe" ] }, "Artifacts": { @@ -741,8 +830,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "emcosoftware.com" + "wangwang.taobao.com" ], "Ports": [] } @@ -750,23 +838,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml", - "Description": "Detects potential network activity of EMCO Remote Console RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml", + "Description": "Detects potential network activity of AliWangWang-remote-control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml", - "Description": "Detects potential processes activity of EMCO Remote Console RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml", + "Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool" } ], - "References": [], + "References": [ + "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" + ], "Acknowledgement": [] }, { - "Name": "N-Able Advanced Monitoring Agent", - "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TurboMeeting", + "Description": "TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -781,12 +871,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Agent_*_RW.exe", - "BASEClient.exe", - "BASupApp.exe", - "BASupSrvc.exe", - "BASupSrvcCnfg.exe", - "BASupTSHelper.exe" + "pcstarter.exe", + "turbomeeting.exe", + "turbomeetingstarter.exe" ] }, "Artifacts": { @@ -797,17 +884,8 @@ { "Description": "Known remote domains", "Domains": [ - "*remote.management", - "*.logicnow.com", - "*systemmonitor.us", - "*systemmonitor.eu.com", - "*system-monitor.com", - "systemmonitor.us.cdn.cloudflare.net", - "*cloudbackup.management", - "*systemmonitor.co.uk", - "*.n-able.com", - "*.beanywhere.com ", - "*.swi-tc.com" + "user_managed", + "acceo.com/turbomeeting/" ], "Ports": [] } @@ -815,25 +893,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", - "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml", + "Description": "Detects potential network activity of TurboMeeting RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml", + "Description": "Detects potential processes activity of TurboMeeting RMM tool" } ], "References": [ - "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" + "http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv" ], "Acknowledgement": [] }, { - "Name": "Tailscale", - "Description": "Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeyondTrust (Bomgar)", + "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -848,9 +926,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tailscale-*.exe", - "tailscaled.exe", - "tailscale-ipn.exe" + "bomgar-scc-*.exe", + "bomgar-scc.exe", + "bomgar-pac-*.exe", + "bomgar-pac.exe", + "bomgar-rdp.exe" ] }, "Artifacts": { @@ -861,9 +941,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.tailscale.com", - "*.tailscale.io", - "tailscale.com" + "*.beyondtrustcloud.com", + "*.bomgarcloud.com", + "bomgarcloud.com" ], "Ports": [] } @@ -871,25 +951,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml", - "Description": "Detects potential network activity of Tailscale RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", + "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml", - "Description": "Detects potential processes activity of Tailscale RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", + "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" } ], "References": [ - "https://tailscale.com/kb/1023/troubleshooting" + "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" ], "Acknowledgement": [] }, { - "Name": "Pilixo", - "Description": "Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Absolute (Computrace)", + "Description": "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "6/18/2024", "Details": { "Website": "", "PEMetadata": { @@ -904,8 +984,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rdp.exe", - "Pilixo_Installer*.exe" + "rpcnet.exe", + "ctes.exe", + "ctespersitence.exe", + "cteshostsvc.exe", + "rpcld.exe" ] }, "Artifacts": { @@ -916,9 +999,8 @@ { "Description": "Known remote domains", "Domains": [ - "pilixo.com", - "download.pilixo.com", - "*.pilixo.com" + "*search.namequery.com", + "*server.absolute.com" ], "Ports": [] } @@ -926,22 +1008,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml", - "Description": "Detects potential network activity of Pilixo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml", + "Description": "Detects potential network activity of Absolute (Computrace) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml", - "Description": "Detects potential processes activity of Pilixo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml", + "Description": "Detects potential processes activity of Absolute (Computrace) RMM tool" } ], "References": [ - "https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls" + "https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com" ], "Acknowledgement": [] }, { - "Name": "Remote Desktop Manager (Devolutions)", - "Description": "Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Impero Connect", + "Description": "Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -958,24 +1040,43 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "ImperoClientSVC.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "imperosoftware.com" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml", + "Description": "Detects potential network activity of Impero Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Impero Connect RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "BeyondTrust (Bomgar)", - "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netviewer (GoToMeet)", + "Description": "Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -990,11 +1091,55 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "bomgar-scc-*.exe", - "bomgar-scc.exe", - "bomgar-pac-*.exe", - "bomgar-pac.exe", - "bomgar-rdp.exe" + "nvClient.exe", + "netviewer.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool" + } + ], + "References": [ + "Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html" + ], + "Acknowledgement": [] + }, + { + "Name": "Goverlan", + "Description": "Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/8/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "goverrmc.exe", + "govsrv*.exe", + "GovAgentInstallHelper.exe", + "GovAgentx64.exe", + "GovReachClient.exe", + "C:\\Program Files (x86)\\PJ Technologies\\GOVsrv\\*", + "*\\PJ Technologies\\GOVsrv\\*", + "*\\GovSrv.exe" ] }, "Artifacts": { @@ -1005,9 +1150,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.beyondtrustcloud.com", - "*.bomgarcloud.com", - "bomgarcloud.com" + "user_managed", + "goverlan.com" ], "Ports": [] } @@ -1015,147 +1159,133 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", - "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml", + "Description": "Detects potential network activity of Goverlan RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", - "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml", + "Description": "Detects potential processes activity of Goverlan RMM tool" } ], "References": [ - "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" + "https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf" ], "Acknowledgement": [] }, { - "Name": "Alpemix", - "Description": "Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Name": "RAdmin", + "Description": "RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", "Author": "Nasreddine Bencherchali", "Created": "2024-08-05", "LastModified": "2024-08-05", "Details": { - "Website": "https://www.alpemix.com/en/Home", + "Website": "https://www.radmin.com/", "PEMetadata": [ { - "Filename": "Alpemix.exe", - "OriginalFileName": "Alpemix", - "Description": "Alpemix", - "Product": "Alpemix", - "InternalName": "Alpemix" + "Filename": "RServer3.exe", + "OriginalFileName": "RServer3.exe", + "InternalName": "RServer3", + "Description": "Radmin Server", + "Product": "Radmin Server", + "Comments": "Radmin - Remote Control Server" + }, + { + "Filename": "Radmin.exe", + "OriginalFileName": "Radmin.exe", + "InternalName": "Radmin", + "Description": "Radmin Viewer", + "Product": "Radmin Viewer", + "Comments": "Radmin Viewer" } ], "Privileges": "", "Free": "", "Verification": "", "SupportedOS": [ - "Windows", - "Linux", - "Android", - "Mac", - "IOS" - ], - "Capabilities": [ - "5 Different Solutions for Remote Support", - "Access to Unattended Computers", - "Access to User Account Control (UAC) Screens", - "Add Your Own Logo", - "Auto Sizing", - "Automatic Update", - "Clipboard Transfer", - "Computer Independent Licensing", - "Contact List and Groups", - "Encrypted Communication", - "External Communication Barrier", - "File Transfer", - "Instant Messaging", - "Multi-Platform Support", - "Multiple Chat", - "Multiple Connections", - "No Port Forwarding Required", - "Peer to Peer Connection (p2p)", - "Receiving Offline Message", - "Remote Restart", - "ReportingRestricting The Authority", - "Screen Sharing", - "Sending Announcement Message", - "Sharing a certain part of the screen", - "Video Recording", - "Voice Communication", - "Who is currently supporting?", - "Working in Black Screen Mode" + "Windows" ], + "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\AlpemixService.exe", - "C:\\AlpemixSrvc\\" + "C:\\Program Files (x86)\\Radmin Viewer 3\\Radmin.exe", + "C:\\Windows\\SysWOW64\\rserver30\\rserver3.exe", + "C:\\Windows\\SysWOW64\\rserver30\\FamItrfc", + "C:\\Windows\\SysWOW64\\rserver30\\FamItrf2" ] }, "Artifacts": { "Disk": [ { - "File": "%localappdata%\\Alpemix\\Alpemix.ini", - "Description": "N/A", + "File": "C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm", + "Description": "RAdmin log file (32-bit)", "OS": "Windows" - } - ], - "EventLog": [ + }, { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "AlpemixSrvc", - "ImagePath": "*\\Alpemix.exe servicestartxxx", - "Description": "Service installation event as result of Alpemix installation." + "File": "C:\\Windows\\System32\\rserver30\\Radm_log.htm", + "Description": "RAdmin log file (64-bit)", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm", + "Description": "RAdmin chat logs", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm", + "Description": "RAdmin user chat logs", + "OS": "Windows" } ], + "EventLog": [], "Registry": [ { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx", + "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security", "Description": "N/A" } ], "Network": [ { + "Description": "N/A", "Domains": [ - "*.alpemix.com" + "radmin.com" ], "Ports": [ 443 - ], - "Description": "N/A" - }, - { - "Domains": [ - "*.teknopars.com" - ], - "Ports": [ - 80 - ], - "Description": "N/A" + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml", - "Description": "Detects potential registry activity of Alpemix RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml", + "Description": "PUA - Radmin Viewer Utility Execution" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml", - "Description": "Detects potential network activity of Alpemix RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml", + "Description": "Enumeration for 3rd Party Creds From CLI" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml", - "Description": "Detects potential files activity of Alpemix RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml", + "Description": "Detects potential registry activity of RAdmin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml", - "Description": "Detects potential processes activity of Alpemix RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml", + "Description": "Detects potential network activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml", + "Description": "Detects potential files activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml", + "Description": "Detects potential processes activity of RAdmin RMM tool" } ], "References": [ - "https://www.alpemix.com/en/remote-access" + "https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/", + "https://helpdesk.radmin.com/radmin3help/", + "https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm", + "https://helpdesk.radmin.com/radmin3help/files/cmd.htm" ], "Acknowledgement": [ { @@ -1165,11 +1295,11 @@ ] }, { - "Name": "Auvik", - "Description": "Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Bitvise SSH Client", + "Description": "Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1184,47 +1314,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "auvik.engine.exe", - "auvik.agent.exe" + "C:\\Program Files (x86)\\Bitvise SSH Client\\*", + "*\\Bitvise SSH Client\\*", + "*\\BvSshClient-Inst.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.my.auvik.com", - "*.auvik.com", - "auvik.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml", - "Description": "Detects potential network activity of Auvik RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml", - "Description": "Detects potential processes activity of Auvik RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Client RMM tool" } ], - "References": [ - "https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Tactical RMM", - "Description": "Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist (GoTo Resolve)", + "Description": "GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1239,47 +1354,27 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tacticalrmm.exe", - "tacticalrmm.exe" + "C:\\ProgramFiles*\\GoTo Machine Installer\\*", + "*\\GoTo Machine Installer\\*", + "*\\GoTo\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "login.tailscale.com", - "login.tailscale.com", - "docs.tacticalrmm.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml", - "Description": "Detects potential network activity of Tactical RMM RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml", - "Description": "Detects potential processes activity of Tactical RMM RMM tool" - } - ], - "References": [ - "docs.tacticalrmm.com" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "MioNet (WD Anywhere Access)", - "Description": "MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LogMeIn rescue", + "Description": "LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -1294,33 +1389,48 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mionet.exe", - "mionetmanager.exe" + "support-logmeinrescue*.exe", + "support-logmeinrescue.exe", + "lmi_rescue.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.logmeinrescue.com", + "*.logmeinrescue.eu", + "logmeinrescue.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml", - "Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn rescue RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml", + "Description": "Detects potential processes activity of LogMeIn rescue RMM tool" } ], "References": [ - "https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016" + "https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue" ], "Acknowledgement": [] }, { - "Name": "Comodo RMM", - "Description": "Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Splashtop (Beta)", + "Description": "Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1335,8 +1445,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "itsmagent.exe", - "rviewer.exe" + "SRServer.exe", + "SplashtopSOS.exe", + "Splashtop_Streamer_Windows*.exe", + "SRManager.exe" ] }, "Artifacts": { @@ -1347,9 +1459,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.itsm-us1.comodo.com", - "*mdmsupport.comodo.com", - "one.comodo.com" + "splashtop.com" ], "Ports": [] } @@ -1357,22 +1467,20 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml", - "Description": "Detects potential network activity of Comodo RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml", + "Description": "Detects potential network activity of Splashtop (Beta) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml", - "Description": "Detects potential processes activity of Comodo RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop (Beta) RMM tool" } ], - "References": [ - "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Pocket Controller", - "Description": "Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist Agent Desktop Console", + "Description": "GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1390,41 +1498,23 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcontroller.exe", - "pocketcloudservice.exe", - "wysebrowser.exe" + "C:\\*\\G2RDesktopConsole-x64.msi", + "*\\G2RDesktopConsole-x64.msi" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "soti.net/products/soti-pocket-controller" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml", - "Description": "Detects potential network activity of Pocket Controller RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Controller RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "NordLocker", - "Description": "NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ConnectWise", + "Description": "ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1441,8 +1531,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] - }, + "InstallationPaths": [ + "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", + "*\\ScreenConnect*Client*\\*" + ] + }, "Artifacts": { "Disk": [], "EventLog": [], @@ -1454,11 +1547,11 @@ "Acknowledgement": [] }, { - "Name": "OCS inventory", - "Description": "OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop Remote Control (aka Impero Connect)", + "Description": "Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1473,8 +1566,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ocsinventory.exe", - "ocsservice.exe" + "nhostsvc.exe", + "nhstw32.exe", + "nldrw32.exe", + "rmserverconsolemediator.exe" ] }, "Artifacts": { @@ -1485,8 +1580,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ocsinventory-ng.org" + "imperosoftware.com/impero-connect/" ], "Ports": [] } @@ -1494,25 +1588,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml", - "Description": "Detects potential network activity of OCS inventory RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml", - "Description": "Detects potential processes activity of OCS inventory RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool" } ], - "References": [ - "https://ocsinventory-ng.org/?page_id=878&lang=en" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "GotoHTTP", - "Description": "GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Splashtop Remote", + "Description": "Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1527,9 +1619,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "GotoHTTP_x64.exe", - "gotohttp.exe", - "GotoHTTP*.exe" + "strwinclt.exe", + "Splashtop_Streamer_Windows*.exe", + "SplashtopSOS.exe", + "sragent.exe", + "srmanager.exe", + "srserver.exe", + "srservice.exe" ] }, "Artifacts": { @@ -1540,8 +1636,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.gotohttp.com", - "gotohttp.com" + "splashtop.com", + "*.api.splashtop.com", + "*.relay.splashtop.com", + "*.api.splashtop.eu" ], "Ports": [] } @@ -1549,22 +1647,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml", - "Description": "Detects potential network activity of GotoHTTP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop Remote RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml", - "Description": "Detects potential processes activity of GotoHTTP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop Remote RMM tool" } ], "References": [ - "https://gotohttp.com/goto/help.12x" + "https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services" ], "Acknowledgement": [] }, { - "Name": "Terminals", - "Description": "Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chrome SSH Extension", + "Description": "Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1581,7 +1679,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*", + "*Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*" + ] }, "Artifacts": { "Disk": [], @@ -1594,11 +1695,11 @@ "Acknowledgement": [] }, { - "Name": "RPort", - "Description": "RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Access Remote PC", + "Description": "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1613,45 +1714,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rport.exe" + "rpcgrab.exe", + "rpcsetup.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "rport.io" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml", - "Description": "Detects potential network activity of RPort RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml", - "Description": "Detects potential processes activity of RPort RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml", + "Description": "Detects potential processes activity of Access Remote PC RMM tool" } ], - "References": [ - "https://kb.rport.io/using-the-remote-access" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "CentraStage (Now Datto)", - "Description": "CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-Able Advanced Monitoring Agent", + "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1666,8 +1753,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "CagService.exe", - "AEMAgent.exe" + "BASupSrvc.exe", + "winagent.exe", + "BASupApp.exe", + "BASupTSHelper.exe", + "Agent_*_RW.exe", + "BASEClient.exe", + "BASupSrvcCnfg.exe" ] }, "Artifacts": { @@ -1678,9 +1770,25 @@ { "Description": "Known remote domains", "Domains": [ - "*.rmm.datto.com", - "*cc.centrastage.net", - "datto.com/au/products/rmm/" + "*.beanywhere.com ", + "systemmonitor.co.uk", + "*system-monitor.com", + "cloudbackup.management", + "*systemmonitor.co.uk", + "n-able.com", + "systemmonitor.us", + "*systemmonitor.eu.com", + "*.logicnow.com", + "*.swi-tc.com", + "*remote.management", + "systemmonitor.us.cdn.cloudflare.net", + "*cloudbackup.management", + "remote.management", + "logicnow.com", + "system-monitor.com", + "*systemmonitor.us", + "systemmonitor.eu.com", + "*.n-able.com" ], "Ports": [] } @@ -1688,25 +1796,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml", - "Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml", - "Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" } ], "References": [ - "https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm" + "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" ], "Acknowledgement": [] }, { - "Name": "Instant Housecall", - "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop Remote Control (Impero Connect)", + "Description": "Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1721,10 +1829,15 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "hsloader.exe", - "InstantHousecall.exe", - "ihcserver.exe", - "instanthousecall.exe" + "nhostsvc.exe", + "nhstw32.exe", + "ngstw32.exe", + "Netop Ondemand.exe", + "nldrw32.exe", + "rmserverconsolemediator.exe", + "ImperoInit.exe", + "Connect.Backdrop.cloud*.exe", + "ImperoClientSVC.exe" ] }, "Artifacts": { @@ -1735,10 +1848,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.instanthousecall.com", - "secure.instanthousecall.com", - "*.instanthousecall.net", - "instanthousecall.com" + "*.connect.backdrop.cloud", + "*.netop.com" ], "Ports": [] } @@ -1746,25 +1857,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", - "Description": "Detects potential network activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", - "Description": "Detects potential processes activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool" } ], "References": [ - "https://instanthousecall.com/features/" + "https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html" ], "Acknowledgement": [] }, { - "Name": "CruzControl", - "Description": "CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Controller", + "Description": "Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1778,26 +1889,45 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "pocketcontroller.exe", + "pocketcloudservice.exe", + "wysebrowser.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "soti.net/products/soti-pocket-controller" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [ - "https://resources.doradosoftware.com/cruz-rmm" + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller RMM tool" + } ], + "References": [], "Acknowledgement": [] }, { - "Name": "Mikogo", - "Description": "Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pilixo", + "Description": "Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1812,14 +1942,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mikogo.exe", - "mikogo-starter.exe", - "mikogo-service.exe", - "mikogolauncher.exe", - "C:\\Users\\*\\AppData\\Roaming\\Mikogo\\*", - "*Users\\*\\AppData\\Roaming\\Mikogo\\*", - "*\\Mikogo-Service.exe", - "*\\Mikogo-Screen-Service.exe" + "rdp.exe", + "Pilixo_Installer*.exe" ] }, "Artifacts": { @@ -1830,10 +1954,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.real-time-collaboration.com", - "*.mikogo4.com", - "*.mikogo.com", - "mikogo.com" + "pilixo.com", + "download.pilixo.com", + "*.pilixo.com" ], "Ports": [] } @@ -1841,25 +1964,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml", - "Description": "Detects potential network activity of Mikogo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml", + "Description": "Detects potential network activity of Pilixo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml", - "Description": "Detects potential processes activity of Mikogo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml", + "Description": "Detects potential processes activity of Pilixo RMM tool" } ], "References": [ - "https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services" + "https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls" ], "Acknowledgement": [] }, { - "Name": "mRemoteNG", - "Description": "mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Iperius Remote", + "Description": "Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -1874,42 +1997,22 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mRemoteNG.exe", - "C:\\Program Files (x86)\\mRemoteNG\\*", - "*\\mRemoteNG\\*", - "*\\mRemoteNG.exe", - "c:\\Program Files (x86)%\\mRemoteNG", - "*%\\mRemoteNG", - "mRemoteNG-Installer-*.msi", - "*\\mRemoteNG.exe" + "iperius.exe", + "iperiusremote.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log", - "Description": "mRemoteNG log file", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml", - "Description": "mRemoteNG configuration file", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config", - "Description": "mRemoteNG user configuration file", - "OS": "Windows" - } - ], + "Disk": [], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "mremoteng.org" + "*.iperiusremote.com", + "*.iperius.com", + "*.iperius-rs.com", + "iperiusremote.com" ], "Ports": [] } @@ -1917,29 +2020,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml", - "Description": "Detects potential network activity of mRemoteNG RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml", - "Description": "Detects potential files activity of mRemoteNG RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml", + "Description": "Detects potential network activity of Iperius Remote RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml", - "Description": "Detects potential processes activity of mRemoteNG RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Iperius Remote RMM tool" } ], "References": [ - "https://github.com/mRemoteNG/mRemoteNG" + "https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx" ], "Acknowledgement": [] }, { - "Name": "LabTech RMM (Now ConnectWise Automate)", - "Description": "LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft RDP", + "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -1954,44 +2053,34 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ltsvc.exe", - "ltsvcmon.exe", - "lttray.exe" + "termsrv.exe", + "mstsc.exe", + "Microsoft Remote Desktop" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "connectwise.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml", - "Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml", - "Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft RDP RMM tool" } ], - "References": [], + "References": [ + "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" + ], "Acknowledgement": [] }, { - "Name": "ScreenMeet", - "Description": "ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Total Software Deployment", + "Description": "Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -2006,46 +2095,33 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ScreenMeetSupport.exe", - "ScreenMeet.Support.exe" + "C:\\ProgramData\\Total Software Deployment\\*", + "*\\Total Software Deployment\\*", + "*\\tniwinagent.exe", + "*\\Tsdservice.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.screenmeet.com", - "*.scrn.mt" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml", - "Description": "Detects potential network activity of ScreenMeet RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml", - "Description": "Detects potential processes activity of ScreenMeet RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml", + "Description": "Detects potential processes activity of Total Software Deployment RMM tool" } ], - "References": [ - "https://docs.screenmeet.com/docs/firewall-white-list" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "RES Automation Manager", - "Description": "RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Apple Remote Desktop", + "Description": "Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/24/2024", "Details": { "Website": "", "PEMetadata": { @@ -2060,10 +2136,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "wisshell*.exe", - "wmc.exe", - "wmc_deployer.exe", - "wmcsvc.exe" + "ARDAgent.app" ] }, "Artifacts": { @@ -2074,8 +2147,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ivanti.com/" + "user_managed" ], "Ports": [] } @@ -2083,25 +2155,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml", - "Description": "Detects potential network activity of RES Automation Manager RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of RES Automation Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Apple Remote Desktop RMM tool" } ], "References": [ - "https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1" + "https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac" ], "Acknowledgement": [] }, { - "Name": "Anyplace Control", - "Description": "Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Free Ping Tool", + "Description": "Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -2116,44 +2184,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "apc_host.exe" + "can't find this one", + "can't find this one" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "anyplace-control.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml", - "Description": "Detects potential network activity of Anyplace Control RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml", - "Description": "Detects potential processes activity of Anyplace Control RMM tool" - } - ], - "References": [ - "http://www.anyplace-control.com/anyplace-control/help/faq.htm" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "TightVNC", - "Description": "TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LiteManager", + "Description": "LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -2168,9 +2218,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tvnviewer.exe", - "TightVNCViewerPortable*.exe", - "tvnserver.exe" + "lmnoipserver.exe", + "ROMFUSClient.exe", + "romfusclient.exe", + "romviewer.exe", + "romserver.exe", + "ROMServer.exe" ] }, "Artifacts": { @@ -2181,8 +2234,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "tightvnc.com" + "*.litemanager.ru", + "*.litemanager.com", + "litemanager.com" ], "Ports": [] } @@ -2190,25 +2244,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml", - "Description": "Detects potential network activity of TightVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml", + "Description": "Detects potential network activity of LiteManager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml", - "Description": "Detects potential processes activity of TightVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml", + "Description": "Detects potential processes activity of LiteManager RMM tool" } ], "References": [ - "https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf" + "https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/" ], "Acknowledgement": [] }, { - "Name": "LiteManager", - "Description": "LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NetSupport Manager", + "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -2223,12 +2277,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "lmnoipserver.exe", - "ROMFUSClient.exe", - "romfusclient.exe", - "romviewer.exe", - "romserver.exe", - "ROMServer.exe" + "pcictlui.exe", + "client32.exe", + "pcicfgui.exe" ] }, "Artifacts": { @@ -2239,9 +2290,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.litemanager.ru", - "*.litemanager.com", - "litemanager.com" + "geo.netsupportsoftware.com", + "netsupportmanager.com", + "*.netsupportmanager.com" ], "Ports": [] } @@ -2249,25 +2300,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml", - "Description": "Detects potential network activity of LiteManager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", + "Description": "Detects potential network activity of NetSupport Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml", - "Description": "Detects potential processes activity of LiteManager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of NetSupport Manager RMM tool" } ], "References": [ - "https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/" + "https://www.netsupportmanager.com/resources/" ], "Acknowledgement": [] }, { - "Name": "Sophos-Remote Management System", - "Description": "Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Weezo", + "Description": "Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -2282,9 +2333,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "clientmrinit.exe", - "mgntsvc.exe", - "routernt.exe" + "weezohttpd.exe", + "weezo.exe", + "weezo setup*.exe" ] }, "Artifacts": { @@ -2295,10 +2346,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.sophos.com", - "*.sophosupd.com", - "*.sophosupd.net", - "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" + "*.weezo.me", + "weezo.net", + "*.weezo.net", + "weezo.en.softonic.com" ], "Ports": [] } @@ -2306,67 +2357,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml", - "Description": "Detects potential network activity of Sophos-Remote Management System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml", + "Description": "Detects potential network activity of Weezo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml", - "Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml", + "Description": "Detects potential processes activity of Weezo RMM tool" } ], "References": [ - "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" - ], - "Acknowledgement": [] - }, - { - "Name": "ManageEngine", - "Description": "ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "InstallShield Setup.exe", - "ManageEngine_Remote_Access_Plus.exe", - "*\\dcagentservice.exe", - "C:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\*", - "*\\DesktopCentral_Agent\\bin\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml", - "Description": "Detects potential processes activity of ManageEngine RMM tool" - } + "weezo.en.softonic.com" ], - "References": [], "Acknowledgement": [] }, { - "Name": "Splashtop Remote", - "Description": "Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Centurion", + "Description": "Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2381,13 +2390,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "strwinclt.exe", - "Splashtop_Streamer_Windows*.exe", - "SplashtopSOS.exe", - "sragent.exe", - "srmanager.exe", - "srserver.exe", - "srservice.exe" + "ctiserv.exe" ] }, "Artifacts": { @@ -2398,10 +2401,7 @@ { "Description": "Known remote domains", "Domains": [ - "splashtop.com", - "*.api.splashtop.com", - "*.relay.splashtop.com", - "*.api.splashtop.eu" + "centuriontech.com" ], "Ports": [] } @@ -2409,25 +2409,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml", - "Description": "Detects potential network activity of Splashtop Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml", + "Description": "Detects potential network activity of Centurion RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml", + "Description": "Detects potential processes activity of Centurion RMM tool" } ], "References": [ - "https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services" + "https://data443.atlassian.net/servicedesk/customer/portal/20" ], "Acknowledgement": [] }, { - "Name": "rdp2tcp", - "Description": "rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "UltraVNC", + "Description": "UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -2442,8 +2442,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tdp2tcp.exe", - "rdp2tcp.py" + "UltraVNC*.exe" ] }, "Artifacts": { @@ -2454,8 +2453,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/V-E-O/rdp2tcp" + "ultravnc.com", + "user_managed" ], "Ports": [] } @@ -2463,25 +2462,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml", - "Description": "Detects potential network activity of rdp2tcp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml", + "Description": "Detects potential network activity of UltraVNC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml", - "Description": "Detects potential processes activity of rdp2tcp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraVNC RMM tool" } ], "References": [ - "github.com/V-E-O/rdp2tcp" + "https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html" ], "Acknowledgement": [] }, { - "Name": "Jump Cloud", - "Description": "Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TightVNC", + "Description": "TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -2496,7 +2495,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "JumpCloud*.exe " + "tvnviewer.exe", + "TightVNCViewerPortable*.exe", + "tvnserver.exe" ] }, "Artifacts": { @@ -2507,8 +2508,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.api.jumpcloud.com", - "*.assist.jumpcloud.com" + "user_managed", + "tightvnc.com" ], "Ports": [] } @@ -2516,21 +2517,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml", - "Description": "Detects potential network activity of Jump Cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml", + "Description": "Detects potential network activity of TightVNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TightVNC RMM tool" } ], "References": [ - "https://jumpcloud.com/support/understand-remote-assist-agent" + "https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf" ], "Acknowledgement": [] }, { - "Name": "RuDesktop", - "Description": "RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ToDesk", + "Description": "ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -2545,8 +2550,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rd.exe", - "rudesktop*.exe" + "todesk.exe", + "ToDesk_Service.exe", + "ToDesk_Setup.exe" ] }, "Artifacts": { @@ -2557,8 +2563,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.rudesktop.ru", - "rudesktop.ru" + "todesk.com", + "*.todesk.com", + "*.todesk.com", + "todesktop.com" ], "Ports": [] } @@ -2566,142 +2574,148 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml", - "Description": "Detects potential network activity of RuDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml", + "Description": "Detects potential network activity of ToDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml", - "Description": "Detects potential processes activity of RuDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml", + "Description": "Detects potential processes activity of ToDesk RMM tool" } ], "References": [ - "https://rudesktop.ru" + "https://www.todesk.com/" ], "Acknowledgement": [] }, { - "Name": "LogMeIn", - "Description": "LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Name": "GoToMyPC", + "Description": "GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", "Author": "Nasreddine Bencherchali", "Created": "2024-08-05", "LastModified": "2024-08-05", "Details": { - "Website": "https://www.logmein.com/", + "Website": "", "PEMetadata": [ { - "Filename": "lmiguardiansvc.exe" + "Filename": "AppCore.exe" }, { - "Filename": "lmiignition.exe" + "Filename": "g2comm.exe" }, { - "Filename": "logmeinsystray.exe" + "Filename": "g2file*.exe" }, { - "Filename": "logmein.exe", - "OriginalFileName": "", - "Company": "LogMeIn, Inc.", - "Description": "LMIGuardianSvc", - "Product": "LMIGuardianSvc" - } - ], - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": null - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Filename": "g2fileh.exe" + }, { - "Description": "N/A", - "Domains": [ - "logmein-gateway.com" - ], - "Ports": [ - 443 - ] + "Filename": "g2host.exe" }, { - "Description": "N/A", - "Domains": [ - "*.logmein.com" - ], - "Ports": [ - 443 - ] + "Filename": "g2m_download.exe" }, { - "Description": "N/A", - "Domains": [ - "*.logmein.eu" - ], - "Ports": [ - 443 - ] + "Filename": "g2mainh.exe" }, { - "Description": "N/A", - "Domains": [ - "logmeinrescue.com" - ], - "Ports": [ - 443 - ] + "Filename": "G2MChat.exe" }, { - "Description": "N/A", - "Domains": [ - "*.logmeininc.com" - ], - "Ports": [ - 443 - ] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml", - "Description": "DNS Query To Remote Access Software Domain From Non-Browser App" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml", - "Description": "Remote Access Tool - LogMeIn Execution" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml", - "Description": "Detects potential network activity of LogMeIn RMM tool" - } - ], - "References": [ - "https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration" - ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] - }, - { - "Name": "SmartFTP", - "Description": "SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Filename": "G2MCodecInstExtractor.exe" + }, + { + "Filename": "G2MComm.exe" + }, + { + "Filename": "G2MCoreInstExtractor.exe" + }, + { + "Filename": "G2MFeedback.exe" + }, + { + "Filename": "G2MHost.exee" + }, + { + "Filename": "G2MInstaller.exe" + }, + { + "Filename": "G2MInstallerExtractor.exe" + }, + { + "Filename": "G2MInstHigh.exe" + }, + { + "Filename": "G2MLauncher.exe" + }, + { + "Filename": "G2MMatchMaking.exe" + }, + { + "Filename": "G2MMaterials.exe" + }, + { + "Filename": "G2MPolling.exe" + }, + { + "Filename": "G2MQandA.exe" + }, + { + "Filename": "G2MRecorder.exe" + }, + { + "Filename": "G2MScrUtil64.exe" + }, + { + "Filename": "G2MSessionControl.exe" + }, + { + "Filename": "G2MStart.exe" + }, + { + "Filename": "G2MTesting.exe" + }, + { + "Filename": "G2MTranscoder.exe" + }, + { + "Filename": "G2MUI.exe" + }, + { + "Filename": "G2MUninstall.exe" + }, + { + "Filename": "g2mupload.exe" + }, + { + "Filename": "g2mvideoconference.exe" + }, + { + "Filename": "G2MView.exe" + }, + { + "Filename": "g2printh.exe" + }, + { + "Filename": "g2quick.exe" + }, + { + "Filename": "g2svc.exe" + }, + { + "Filename": "g2tray.exe" + }, + { + "Filename": "gopcsrv.exe" + }, + { + "Filename": "GoToScrUtils.exe" + }, + { + "Filename": "GoTo.exe", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", "Free": "", "Verification": "", @@ -2709,24 +2723,77 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\SmartFTP Client\\en-US\\", - "*\\SmartFTP Client\\*", - "*\\SfShellTools.dll.mui" + "C:\\Program Files (x86)\\GoToMyPC\\*" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "%AppData%\\GoTo\\Logs\\goto.log", + "Description": "N/A", + "OS": "Windows" + } + ], "EventLog": [], - "Registry": [], - "Network": [] + "Registry": [ + { + "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc", + "Description": "Configuration settings including registration email" + }, + { + "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite", + "Description": "Guest invites send to connect" + }, + { + "Path": "HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", + "Description": "hostname of the computer making connections and location of transferred files" + }, + { + "Path": "HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", + "Description": "hostname of the computer making connections and location of transferred files" + } + ], + "Network": [ + { + "Description": "N/A", + "Domains": [ + "*.GoToMyPC.com" + ], + "Ports": [ + "N/A" + ] + } + ] }, - "Detections": [], - "References": [], - "Acknowledgement": [] + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml", + "Description": "Detects potential registry activity of GoToMyPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml", + "Description": "Detects potential network activity of GoToMyPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml", + "Description": "Detects potential files activity of GoToMyPC RMM tool" + } + ], + "References": [ + "https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#", + "https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls", + "https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/" + ], + "Acknowledgement": [ + { + "Person": "Phill Moore", + "Handle": "@phillmoore" + } + ] }, { - "Name": "NetSupport Manager", - "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Neturo", + "Description": "Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -2744,9 +2811,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcictlui.exe", - "pcicfgui.exe", - "client32.exe" + "neturo*.exe", + "ntrntservice.exe", + "neturo.exe" ] }, "Artifacts": { @@ -2757,8 +2824,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.netsupportmanager.com", - "netsupportmanager.com" + "neturo.uplus.co.kr" ], "Ports": [] } @@ -2766,25 +2832,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", - "Description": "Detects potential network activity of NetSupport Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml", + "Description": "Detects potential network activity of Neturo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of NetSupport Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml", + "Description": "Detects potential processes activity of Neturo RMM tool" } ], "References": [ - "https://www.netsupportmanager.com/resources/" + "Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2" ], "Acknowledgement": [] }, { - "Name": "Pocket Cloud (Wyse)", - "Description": "Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist", + "Description": "GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2799,33 +2865,53 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcloud*.exe", - "pocketcloudservice.exe" + "gotoassist.exe", + "g2a*.exe", + "GoTo Assist Opener.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "goto.com", + "*.getgo.com", + "*.fastsupport.com", + "*.gotoassist.com", + "helpme.net", + "*.gotoassist.me", + "*.gotoassist.at", + "*.desktopstreaming.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml", + "Description": "Detects potential network activity of GoToAssist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml", + "Description": "Detects potential processes activity of GoToAssist RMM tool" } ], "References": [ - "https://wyse-pocketcloud.informer.com/2.1/" + "https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5" ], "Acknowledgement": [] }, { - "Name": "Guacamole", - "Description": "Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DameWare", + "Description": "DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2840,19 +2926,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "guacd.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], + "SolarWinds-Dameware-DRS*.exe", + "DameWare Mini Remote Control*.exe", + "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\*", + "dntus*.exe", + "dwrcs.exe", + "*\\dwrcs\\*", + "*\\dwrcst.exe", + "DameWare Remote Support.exe", + "SolarWinds-Dameware-MRC*.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "guacamole.apache.org" + "dameware.com" ], "Ports": [] } @@ -2860,25 +2953,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml", - "Description": "Detects potential network activity of Guacamole RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml", + "Description": "Detects potential network activity of Dameware-mini remote control Protocol RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml", - "Description": "Detects potential processes activity of Guacamole RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml", + "Description": "Detects potential processes activity of DameWare RMM tool" } ], "References": [ - "guacamole.apache.org" + "https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm" ], "Acknowledgement": [] }, { - "Name": "LANDesk", - "Description": "LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "OptiTune", + "Description": "OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -2893,16 +2986,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "issuser.exe", - "landeskagentbootstrap.exe", - "LANDeskPortalManager.exe", - "ldinv32.exe", - "ldsensors.exe", - "C:\\Program Files (x86)\\LANDesk\\*", - "*\\LANDesk\\*", - "*\\issuser.exe", - "*\\softmon.exe", - "*\\tmcsvc.exe" + "OTService.exe", + "OTPowerShell.exe" ] }, "Artifacts": { @@ -2913,9 +2998,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.ivanticloud.com", - "*.ivanti.com", - "ivanti.com" + "*.optitune.us", + "*.opti-tune.com" ], "Ports": [] } @@ -2923,25 +3007,58 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml", - "Description": "Detects potential network activity of LANDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml", + "Description": "Detects potential network activity of OptiTune RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml", - "Description": "Detects potential processes activity of LANDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml", + "Description": "Detects potential processes activity of OptiTune RMM tool" } ], "References": [ - "https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US" + "https://www.bravurasoftware.com/optitune/support/faq.aspx" ], "Acknowledgement": [] }, { - "Name": "pcAnywhere", - "Description": "pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chicken (of the VNC)", + "Description": "Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [ + "https://github.com/flit/cotvnc" + ], + "Acknowledgement": [] + }, + { + "Name": "UltraViewer", + "Description": "UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -2956,10 +3073,18 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "awhost32.exe", - "awrem32.exe", - "pcaquickconnect.exe", - "winaw32.exe" + "UltraViewer_Service.exe", + "UltraViewer_setup*", + "UltraViewer_Desktop.exe", + "ultraviewer.exe", + "C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe", + "*\\UltraViewer\\", + "*\\UltraViewer_Desktop.exe", + "ultraviewer_desktop.exe", + "ultraviewer_service.exe", + "UltraViewer_Desktop.exe", + "UltraViewer_setup*", + "UltraViewer_Service.exe" ] }, "Artifacts": { @@ -2970,7 +3095,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "* .ultraviewer.net", + "ultraviewer.net" ], "Ports": [] } @@ -2978,25 +3104,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml", - "Description": "Detects potential network activity of pcAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml", + "Description": "Detects potential network activity of UltraViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of pcAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraViewer RMM tool" } ], "References": [ - "https://en.wikipedia.org/wiki/PcAnywhere" + "https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html" ], "Acknowledgement": [] }, { - "Name": "mstsc", - "Description": "mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Barracuda", + "Description": "Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -3010,32 +3136,41 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Windows\\System32\\mstsc.exe", - "*Windows\\System32\\mstsc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.islonline.net", + "rmm.barracudamsp.com", + "barracudamsp.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml", - "Description": "Detects potential processes activity of mstsc RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml", + "Description": "Detects potential network activity of Barracuda RMM tool" } ], - "References": [], + "References": [ + "https://help.islonline.com/19799/166125" + ], "Acknowledgement": [] }, { - "Name": "FreeNX", - "Description": "FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Senso.cloud", + "Description": "Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3050,31 +3185,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\nxplayer.exe", - "*\\nxplayer.exe" + "SensoClient.exe", + "SensoService.exe", + "aadg.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.senso.cloud", + "senso.cloud" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml", - "Description": "Detects potential processes activity of FreeNX RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml", + "Description": "Detects potential network activity of Senso.cloud RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml", + "Description": "Detects potential processes activity of Senso.cloud RMM tool" } ], - "References": [], + "References": [ + "https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration" + ], "Acknowledgement": [] }, { - "Name": "PSEXEC (Clone)", - "Description": "PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Any Support", + "Description": "Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -3089,13 +3240,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "paexec.exe", - "PAExec-*.exe", - "csexec.exe ", - "remcom.exe", - "remcomsvc.exe", - "xcmd.exe", - "xcmdsvc.exe" + "ManualLauncher.exe" ] }, "Artifacts": { @@ -3106,7 +3251,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "*.anysupport.net" ], "Ports": [] } @@ -3114,22 +3259,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml", - "Description": "Detects potential network activity of PSEXEC (Clone) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml", + "Description": "Detects potential network activity of Any Support RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml", - "Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml", + "Description": "Detects potential processes activity of Any Support RMM tool" } ], "References": [ - "https://www.poweradmin.com/paexec/" + "https://www.anysupport.net/introduce_howto.php" ], "Acknowledgement": [] }, { - "Name": "SpyAnywhere", - "Description": "SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Desktop Plus", + "Description": "Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3147,7 +3292,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "sysdiag.exe" + "rdp.exe" ] }, "Artifacts": { @@ -3158,8 +3303,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.spytech-web.com", - "spyanywhere.com" + "donkz.nl" ], "Ports": [] } @@ -3167,23 +3311,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml", - "Description": "Detects potential network activity of SpyAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml", + "Description": "Detects potential network activity of Remote Desktop Plus RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of SpyAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Desktop Plus RMM tool" } ], "References": [ - "https://www.spyanywhere.com/support.shtml" + "https://www.donkz.nl/" ], "Acknowledgement": [] }, { - "Name": "MultCloud", - "Description": "MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", + "Name": "Splashtop", + "Description": "Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "Nasreddine Bencherchali", "Created": "", "LastModified": "", "Details": { @@ -3200,71 +3344,194 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "requires sign up", - "requires sign up" + "C:\\Program Files (x86)\\Splashtop\\*", + "*\\Splashtop\\Splashtop Remote\\Client for RMM\\*", + "strwinclt.exe" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Visual Studio Dev Tunnel", - "Description": "Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe", + "Description": "Splashtop Remote Service", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe", + "Description": "SplashTop Remote Agent", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe", + "Description": "Splashtop Updater", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Splashtop Software Updater Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"", + "Description": "Service installation event as result of Splashtop Software Updater Service installation." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Splashtop® Remote Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", + "Description": "Service installation event as result of Splashtop Remote Service installation." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "SplashtopRemoteService", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", + "Description": "Service installation event as result of Splashtop Remote Service installation." + } + ], + "Registry": [ + { + "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*", + "Description": "Splashtop Inc. registry key" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", + "Description": "Splashtop Software Updater uninstall key" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService", + "Description": "Splashtop Remote Service registry key" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational", + "Description": "Splashtop Streamer Remote Session event log channel" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational", + "Description": "Splashtop Streamer Status event log channel" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount", + "Description": "Splashtop Software Updater install reference count" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService", + "Description": "Splashtop Remote Service safe boot configuration" + }, + { + "Path": "HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*", + "Description": "Default user Splashtop Inc. registry key" + }, + { + "Path": "HKU\\SID\\Software\\Splashtop Inc.\\*", + "Description": "User-specific Splashtop Inc. registry key" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer", + "Description": "Splashtop PDF Remote Printer configuration" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*", + "Description": "Splashtop Remote Server client information" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "global.rel.tunnels.api.visualstudio.com", - "*.rel.tunnels.api.visualstudio.com", - "*.devtunnels.ms" + "*.splashtop.com" ], - "Ports": [] + "Ports": [ + "N/A" + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml", - "Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml", + "Description": "Detects potential registry activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml", + "Description": "Detects potential files activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security" + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + } + ] }, { - "Name": "Xpra", - "Description": "Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remcos", + "Description": "Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -3282,10 +3549,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Xpra\\*", - "*\\Xpra\\*", - "*\\Xpra-Launcher.exe", - "*\\Xpra-x86_64_Setup.exe" + "remcos*.exe" ] }, "Artifacts": { @@ -3296,16 +3560,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml", - "Description": "Detects potential processes activity of Xpra RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml", + "Description": "Detects potential processes activity of Remcos RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Royal Apps", - "Description": "Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SpyAnywhere", + "Description": "SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3323,8 +3587,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "royalserver.exe", - "royalts.exe" + "sysdiag.exe" ] }, "Artifacts": { @@ -3335,7 +3598,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "*.spytech-web.com", + "spyanywhere.com" ], "Ports": [] } @@ -3343,25 +3607,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml", - "Description": "Detects potential network activity of Royal Apps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml", + "Description": "Detects potential network activity of SpyAnywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml", - "Description": "Detects potential processes activity of Royal Apps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of SpyAnywhere RMM tool" } ], "References": [ - "https://www.royalapps.com/ts/win/download" + "https://www.spyanywhere.com/support.shtml" ], "Acknowledgement": [] }, { - "Name": "eHorus", - "Description": "eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Distant Desktop", + "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -3376,7 +3640,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ehorus standalone.exe" + "ddsystem.exe", + "dd.exe", + "distant-desktop.exe" ] }, "Artifacts": { @@ -3387,7 +3653,8 @@ { "Description": "Known remote domains", "Domains": [ - "ehorus.com" + "*.distantdesktop.com", + "*signalserver.xyz" ], "Ports": [] } @@ -3395,64 +3662,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml", - "Description": "Detects potential network activity of eHorus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Distant Desktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml", - "Description": "Detects potential processes activity of eHorus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Distant Desktop RMM tool" } ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "SuperPuTTY", - "Description": "SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Downloads\\SuperPuTTY\\*", - "*Downloads\\SuperPuTTY\\*", - "*\\superputty.exe", - "*\\SuperPuTTY\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml", - "Description": "Detects potential processes activity of SuperPuTTY RMM tool" - } + "References": [ + "https://www.distantdesktop.com/manual/first-start.htm" ], - "References": [], "Acknowledgement": [] }, { - "Name": "ZeroTier", - "Description": "ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Acronis Cyber Protect (Remotix)", + "Description": "Acronis Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -3467,9 +3695,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zerotier*.msi", - "zerotier*.exe", - "zero-powershell.exe" + "AcronisCyberProtectConnectQuickAssist*.exe", + "AcronisCyberProtectConnectAgent.exe" ] }, "Artifacts": { @@ -3480,8 +3707,10 @@ { "Description": "Known remote domains", "Domains": [ - "zerotier.com", - "*.zerotier.com" + "cloud.acronis.com", + "agents*-cloud.acronis.com", + "gw.remotix.com", + "connect.acronis.com" ], "Ports": [] } @@ -3489,56 +3718,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml", - "Description": "Detects potential network activity of ZeroTier RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml", + "Description": "Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml", - "Description": "Detects potential processes activity of ZeroTier RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml", + "Description": "Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool" } ], "References": [ - "https://my.zerotier.com/" + "https://kb.acronis.com/content/47189" ], "Acknowledgement": [] }, { - "Name": "Devolutions Remote Desktop Manager", - "Description": "Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "BeAnyWhere", - "Description": "BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pulseway", + "Description": "Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3553,14 +3751,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "basuptshelper.exe", - "basupsrvcupdate.exe", - "BASupApp.exe", - "BASupSysInf.exe", - "BASupAppSrvc.exe", - "TakeControl.exe", - "BASupAppElev.exe", - "basupsrvc.exe" + "PCMonitorManager.exe", + "pcmonitorsrv.exe" ] }, "Artifacts": { @@ -3571,8 +3763,7 @@ { "Description": "Known remote domains", "Domains": [ - "beanywhere.en.uptodown.com/windows", - "beanywhere.com" + "pulseway.com" ], "Ports": [] } @@ -3580,70 +3771,36 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml", - "Description": "Detects potential network activity of BeAnyWhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml", + "Description": "Detects potential network activity of Pulseway RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of BeAnyWhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml", + "Description": "Detects potential processes activity of Pulseway RMM tool" } ], "References": [ - "https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx" - ], - "Acknowledgement": [] - }, - { - "Name": "WebEx (Remote Access)", - "Description": "WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/14/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [ - "https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access" + "https://intercom.help/pulseway/en/" ], "Acknowledgement": [] }, { - "Name": "AnyDesk", - "Category": "RMM", - "Description": "AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams.\n", - "Author": "Ali Alwashali, Nasreddine Bencherchali", - "Created": "2023-09-29", - "LastModified": "2024-10-06", + "Name": "TeamViewer", + "Description": "TeamViewer is a remote monitoring and management (RMM) tool.\n", + "Author": "Nasreddine Bencherchali, Michael Haag", + "Created": "2024-08-02", + "LastModified": "2024-08-02", "Details": { - "Website": "https://anydesk.com/en", + "Website": "https://www.teamviewer.com/en", "PEMetadata": [ { - "Filename": "anydesk.exe", - "OriginalFileName": "AnyDesk.exe", - "Description": "AnyDesk", - "Product": "AnyDesk" + "Filename": "TeamViewer.exe", + "OriginalFileName": "", + "Description": "", + "Product": "TeamViewer" } ], - "Privileges": "User", + "Privileges": "user", "Free": true, "Verification": false, "SupportedOS": [ @@ -3654,117 +3811,105 @@ "Mac", "Windows" ], - "Capabilities": [ - "File Transfer", - "File System Access", - "Remote Control", - "GUI Support", - "Command line Support" - ], + "Capabilities": [], "Vulnerabilities": [ - "https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html" + "https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html" ], "InstallationPaths": [ - "C:\\Program Files (x86)\\AnyDesk\\*", - "C:\\Program Files\\AnyDesk\\*" + "C:\\Program Files\\TeamViewer\\", + "teamviewer_desktop.exe", + "teamviewer_service.exe", + "teamviewerhost" ] }, "Artifacts": { "Disk": [ { - "File": "%programdata%\\AnyDesk\\ad_svc.trace", - "Description": "AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.", - "OS": "Windows", - "Example": [ - "info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798" - ] - }, - { - "File": "%programdata%\\AnyDesk\\connection_trace.txt", - "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", - "OS": "Windows", - "Example": [ - "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", - "Incoming 2022-09-28, 12:39 User 442226597 442226597" - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\connection_trace.txt", - "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", - "OS": "Windows", - "Example": [ - "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", - "Incoming 2022-09-28, 12:39 User 442226597 442226597" - ] + "File": "C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log", + "Description": "N/A", + "OS": "Windows" }, { - "File": "%APPDATA%\\AnyDesk\\ad.trace", - "Description": "AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.", + "File": "TeamViewer\\d\\d_Logfile\\.log", + "Description": "N/A", "OS": "Windows", - "Example": [ - "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).", - "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0." - ] + "Type": "Regex" }, { - "File": "%APPDATA%\\AnyDesk\\chat\\*.txt", - "Description": "If the chat functionality is used, its entries will be printed in a text file in this folder.", + "File": "C:\\Program Files\\TeamViewer\\Connections_incoming.txt", + "Description": "N/A", "OS": "Windows" }, { - "File": "%APPDATA%\\AnyDesk\\user.conf", + "File": "C:\\Program Files\\TeamViewer\\TVNetwork.log", "Description": "N/A", "OS": "Windows" }, { - "File": "%PROGRAMDATA%\\AnyDesk\\service.conf", - "Description": "Password can be set to auto-validate the session. The password will be saved in a salted hash format.", + "File": "%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log", + "Description": "N/A", "OS": "Windows" }, { - "File": "%APPDATA%\\AnyDesk\\service.conf", + "File": "%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log", "Description": "N/A", - "OS": "Windows" + "OS": "Windows", + "Type": "Regex" }, { - "File": "%APPDATA%\\AnyDesk\\system.conf", + "File": "teamviewerqs.exe", "Description": "N/A", "OS": "Windows" }, { - "File": "%PROGRAMDATA%\\AnyDesk\\system.conf", + "File": "tv_w32.exe", "Description": "N/A", "OS": "Windows" }, { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk", + "File": "tv_w64.exe", "Description": "N/A", "OS": "Windows" }, { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk", + "File": "tv_x64.exe", "Description": "N/A", "OS": "Windows" }, { - "File": "C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk", + "File": "teamviewer.exe", "Description": "N/A", "OS": "Windows" }, { - "File": "C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*", + "File": "teamviewer_service.exe", "Description": "N/A", "OS": "Windows" }, { - "File": "~/Library/Application Support/AnyDesk/Logs/", + "File": "%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db", + "Description": "SQlite 3 database storing cache about TeamViewer chat", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db", + "Description": "SQlite 3 database storing TeamViewer print jobs", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk", "Description": "N/A", - "OS": "Mac" + "OS": "Windows" }, { - "File": "~/.config/AnyDesk/Logs/", + "File": "C:\\Program Files*\\TeamViewer\\connections*.txt", "Description": "N/A", - "OS": "Linux" + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc", + "Description": "N/A", + "OS": "Windows" } ], "EventLog": [ @@ -3772,58 +3917,89 @@ "EventID": 7045, "ProviderName": "Service Control Manager", "LogFile": "System.evtx", - "ServiceName": "AnyDesk Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", - "Description": "Service installation event as result of AnyDesk installation." - }, - { - "EventID": 4697, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "ServiceName": "AnyDesk Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", - "Description": "Service installation event as result of AnyDesk installation." + "ServiceName": "TeamViewer", + "ImagePath": "\"C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"", + "Description": "Service installation event as result of TeamViewer installation." } ], "Registry": [ { - "Path": "HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk", + "Path": "HKLM\\SOFTWARE\\TeamViewer\\*", "Description": "N/A" }, { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk", + "Path": "HKU\\\\SOFTWARE\\TeamViewer\\*", "Description": "N/A" }, { - "Path": "HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command", + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*", "Description": "N/A" }, { - "Path": "HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command", + "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", "Description": "N/A" }, { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*", + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*", "Description": "N/A" }, { - "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk", + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle", "Description": "N/A" }, { - "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk", + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage", "Description": "N/A" }, { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk", + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions", "Description": "N/A" } ], "Network": [ { - "Description": "During setup the boot.net.anydesk.com domain is request over port 443", + "Description": "Known remote domains", "Domains": [ - "boot.net.anydesk.com" + "*.teamviewer.com" + ], + "Ports": [] + }, + { + "Description": "N/A", + "Domains": [ + "router15.teamviewer.com" ], "Ports": [ 443 @@ -3832,7 +4008,7 @@ { "Description": "N/A", "Domains": [ - "relay-[a-f0-9]{8}.net.anydesk.com:443" + "client.teamviewer.com" ], "Ports": [ 443 @@ -3841,7 +4017,7 @@ { "Description": "N/A", "Domains": [ - "*.anydesk.com" + "taf.teamviewer.com" ], "Ports": [ 443 @@ -3850,72 +4026,57 @@ ], "Other": [ { - "Type": "User-Agent", - "Value": "AnyDesk/*" + "Type": "Mutex", + "Value": "TeamViewer_LogMutex" }, { - "Type": "NamedPipe", - "Value": "adprinterpipe" + "Type": "Mutex", + "Value": "TeamViewerHooks_DynamicMemMutex" + }, + { + "Type": "Mutex", + "Value": "TeamViewer3_Win32_Instance_Mutex" } ] }, "Detections": [ { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml", - "Description": "Anydesk Remote Access Software Service Installation" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml", - "Description": "N/A" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml", - "Description": "N/A" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml", - "Description": "Remote Access Tool - AnyDesk Silent Installation" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml", + "Description": "Detects potential registry activity of TeamViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml", - "Description": "Detects potential registry activity of AnyDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml", + "Description": "Detects potential network activity of TeamViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml", - "Description": "Detects potential network activity of AnyDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml", + "Description": "Detects potential files activity of TeamViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml", - "Description": "Detects potential files activity of AnyDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of TeamViewer RMM tool" } ], "References": [ - "https://support.anydesk.com/knowledge/firewall", + "https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer", + "https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#", + "https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/", "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", - "https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk", - "https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/" + "https://github.com/Purp1eW0lf/Blue-Team-Notes" ], "Acknowledgement": [ { "Person": "Théo Letailleur", "Handle": "in/theosyn" - }, - { - "Person": "Ali Alwashali", - "Handle": "@ali_alwashali" - }, - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" } ] }, { - "Name": "Free Ping Tool", - "Description": "Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Zoho Assist", + "Description": "Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -3930,26 +4091,65 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "can't find this one", - "can't find this one" + "zaservice.exe", + "ZMAgent.exe", + "C:\\*\\ZA_Access.exe", + "ZohoMeeting.exe", + "Zohours.exe", + "zohotray.exe", + "ZohoURSService.exe", + "*\\ZA_Access.exe", + "Zaservice.exe", + "za_connect.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.zoho.com.au", + "*.zohoassist.jp", + "assist.zoho.com", + "zoho.com/assist/", + "*.zoho.in", + "downloads.zohodl.com.cn", + "*.zohoassist.com", + "downloads.zohocdn.com", + "gateway.zohoassist.com", + "*.zohoassist.com.cn", + "*.zoho.com.cn", + "*.zoho.com", + "*.zoho.eu" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml", + "Description": "Detects potential network activity of Zoho Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Zoho Assist RMM tool" + } + ], + "References": [ + "https://www.zoho.com/assist/kb/firewall-configuration.html" + ], "Acknowledgement": [] }, { - "Name": "S3 Browser", - "Description": "S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "HelpU", + "Description": "HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -3964,24 +4164,39 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\S3 Browser\\*", - "*\\S3 Browser\\*", - "*\\s3browser*.exe" + "helpu_install.exe", + "HelpuUpdater.exe", + "HelpuManager.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "helpu.co.kr", + "*.helpu.co.kr" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml", - "Description": "Detects potential processes activity of S3 Browser RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml", + "Description": "Detects potential network activity of HelpU RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpU RMM tool" } ], - "References": [], + "References": [ + "https://helpu.co.kr/" + ], "Acknowledgement": [] }, { @@ -4018,11 +4233,11 @@ "Acknowledgement": [] }, { - "Name": "Adobe Connect", - "Description": "Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ezHelp", + "Description": "ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/27/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4037,10 +4252,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ConnectAppSetup*.exe", - "ConnectShellSetup*.exe", - "Connect.exe", - "ConnectDetector.exe" + "ezhelpclientmanager.exe", + "ezHelpManager.exe", + "ezhelpclient.exe" ] }, "Artifacts": { @@ -4051,7 +4265,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.adobeconnect.com" + "*.ezhelp.co.kr", + "ezhelp.co.kr" ], "Ports": [] } @@ -4059,25 +4274,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml", - "Description": "Detects potential network activity of Adobe Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml", + "Description": "Detects potential network activity of ezHelp RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Adobe Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml", + "Description": "Detects potential processes activity of ezHelp RMM tool" } ], "References": [ - "https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html" + "https://www.exhelp.co.kr" ], "Acknowledgement": [] }, { - "Name": "RemotePC", - "Description": "RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LabTeach (Connectwise Automate)", + "Description": "LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4092,56 +4307,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\RemotePC\\*", - "Idrive.File-Transfer", - "*\\RemotePC\\*", - "remotepcservice.exe", - "RemotePC.exe", - "remotepchost.exe", - "idrive.RemotePCAgent", - "rpcsuite.exe", - "*\\RemotePCService.exe", - "RemotePCService.exe" + "ltsvc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.remotedesktop.com", - "*.remotepc.com", - "www.remotepc.com", - "remotepc.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml", - "Description": "Detects potential network activity of RemotePC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml", - "Description": "Detects potential processes activity of RemotePC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool" } ], - "References": [ - "https://www.remotedesktop.com/helpdesk/faq-firewall" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "LogMeIn rescue", - "Description": "LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FreeNX", + "Description": "FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4156,48 +4345,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "support-logmeinrescue*.exe", - "support-logmeinrescue.exe", - "lmi_rescue.exe" + "C:\\*\\nxplayer.exe", + "*\\nxplayer.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.logmeinrescue.com", - "*.logmeinrescue.eu", - "logmeinrescue.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml", - "Description": "Detects potential network activity of LogMeIn rescue RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml", - "Description": "Detects potential processes activity of LogMeIn rescue RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml", + "Description": "Detects potential processes activity of FreeNX RMM tool" } ], - "References": [ - "https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "UltraViewer", - "Description": "UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DragonDisk", + "Description": "DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4212,56 +4384,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "UltraViewer_Service.exe", - "UltraViewer_setup*", - "UltraViewer_Desktop.exe", - "ultraviewer.exe", - "C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe", - "*\\UltraViewer\\", - "*\\UltraViewer_Desktop.exe", - "ultraviewer_desktop.exe", - "ultraviewer_service.exe", - "UltraViewer_Desktop.exe", - "UltraViewer_setup*", - "UltraViewer_Service.exe" + "C:\\Program Files (x86)\\Almageste\\DragonDisk\\*", + "*\\Almageste\\DragonDisk\\*", + "*\\DragonDisk.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "* .ultraviewer.net", - "ultraviewer.net" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml", - "Description": "Detects potential network activity of UltraViewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of UltraViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml", + "Description": "Detects potential processes activity of DragonDisk RMM tool" } ], - "References": [ - "https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Pandora RC (eHorus)", - "Description": "Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Manage Engine (Desktop Central)", + "Description": "Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -4276,8 +4424,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ehorus standalone.exe", - "ehorus_agent.exe" + "dcagentservice.exe", + "dcagentregister.exe" ] }, "Artifacts": { @@ -4288,7 +4436,12 @@ { "Description": "Known remote domains", "Domains": [ - "portal.ehorus.com" + "desktopcentral.manageengine.com", + "desktopcentral.manageengine.com.eu", + "desktopcentral.manageengine.cn", + "*.dms.zoho.com", + "*.dms.zoho.com.eu", + "*.-dms.zoho.com.cn" ], "Ports": [] } @@ -4296,25 +4449,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml", - "Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml", + "Description": "Detects potential network activity of Desktop Central RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml", - "Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml", + "Description": "Detects potential processes activity of Desktop Central RMM tool" } ], - "References": [ - "https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "IntelliAdmin Remote Control", - "Description": "IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Encapto", + "Description": "Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4328,13 +4479,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "iadmin.exe", - "intelliadmin.exe", - "agent32.exe", - "agent64.exe", - "agent_setup_5.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -4344,9 +4489,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "*.intelliadmin.com", - "intelliadmin.com/remote-control" + "encapto.com" ], "Ports": [] } @@ -4354,22 +4497,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml", + "Description": "Detects potential network activity of Encapto RMM tool" } ], "References": [ - "intelliadmin.com/remote-control" + "https://www.encapto.com - used to manage Cisco services" ], "Acknowledgement": [] }, { - "Name": "MEGAsync", - "Description": "MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ConnectWise Control", + "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4387,35 +4526,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Local\\MEGAsync\\*", - "*Users\\*\\AppData\\Local\\MEGAsync\\*", - "*Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", - "*ProgramData\\MEGAsync\\*", - "*\\MEGAsyncSetup64.exe", - "*\\MEGAupdater.exe" + "connectwisechat-customer.exe", + "connectwisecontrol.client.exe", + "screenconnect.windowsclient.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "live.screenconnect.com", + "control.connectwise.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml", - "Description": "Detects potential processes activity of MEGAsync RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", + "Description": "Detects potential network activity of ConnectWise Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", + "Description": "Detects potential processes activity of ConnectWise Control RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Encapto", - "Description": "Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Jump Desktop", + "Description": "Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -4429,7 +4578,13 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "jumpclient.exe", + "jumpdesktop.exe", + "jumpservice.exe", + "jumpconnect.exe", + "jumpupdater.exe" + ] }, "Artifacts": { "Disk": [], @@ -4439,7 +4594,10 @@ { "Description": "Known remote domains", "Domains": [ - "encapto.com" + "*.jumpdesktop.com", + "jumpdesktop.com", + "jumpto.me", + "*.jumpto.me" ], "Ports": [] } @@ -4447,21 +4605,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml", - "Description": "Detects potential network activity of Encapto RMM tool" - } - ], - "References": [ - "https://www.encapto.com - used to manage Cisco services" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Jump Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Jump Desktop RMM tool" + } + ], + "References": [ + "https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect" ], "Acknowledgement": [] }, { - "Name": "ShowMyPC", - "Description": "ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MyGreenPC", + "Description": "MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -4476,10 +4638,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SMPCSetup.exe", - "showmypc*.exe", - "showmypc.exe", - "smpcsetup.exe" + "mygreenpc.exe" ] }, "Artifacts": { @@ -4490,8 +4649,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.showmypc.com", - "showmypc.com" + "*mygreenpc.com" ], "Ports": [] } @@ -4499,25 +4657,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml", - "Description": "Detects potential network activity of ShowMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml", + "Description": "Detects potential network activity of MyGreenPC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml", - "Description": "Detects potential processes activity of ShowMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml", + "Description": "Detects potential processes activity of MyGreenPC RMM tool" } ], "References": [ - "https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf" + "http://www.mygreenpc.com/" ], "Acknowledgement": [] }, { - "Name": "Lite Manager", - "Description": "Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CruzControl", + "Description": "CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4531,11 +4689,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\LiteManager Pro – Viewer\\*", - "*\\LiteManager Pro – Viewer\\*", - "*\\LMNoIpServer.exe." - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -4544,15 +4698,17 @@ "Network": [] }, "Detections": [], - "References": [], + "References": [ + "https://resources.doradosoftware.com/cruz-rmm" + ], "Acknowledgement": [] }, { - "Name": "Netop Remote Control (aka Impero Connect)", - "Description": "Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Connectwise Automate (LabTech)", + "Description": "Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -4567,10 +4723,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nhostsvc.exe", - "nhstw32.exe", - "nldrw32.exe", - "rmserverconsolemediator.exe" + "ltsvc.exe", + "ltsvcmon.exe", + "lttray.exe" ] }, "Artifacts": { @@ -4581,7 +4736,7 @@ { "Description": "Known remote domains", "Domains": [ - "imperosoftware.com/impero-connect/" + "*.hostedrmm.com" ], "Ports": [] } @@ -4589,23 +4744,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml", - "Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml", + "Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml", - "Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml", + "Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool" } ], - "References": [], + "References": [ + "https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate" + ], "Acknowledgement": [] }, { - "Name": "GoToAssist", - "Description": "GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NoteOn-desktop sharing", + "Description": "NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4620,11 +4777,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "gotoassist.exe", - "g2a*.exe", - "GoTo Assist Opener.exe" + "nateon*.exe", + "nateon.exe", + "nateonmain.exe" ] }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Basecamp", + "Description": "Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, "Artifacts": { "Disk": [], "EventLog": [], @@ -4633,14 +4826,7 @@ { "Description": "Known remote domains", "Domains": [ - "goto.com", - "*.getgo.com", - "*.fastsupport.com", - "*.gotoassist.com", - "helpme.net", - "*.gotoassist.me", - "*.gotoassist.at", - "*.desktopstreaming.com" + "basecamp.com" ], "Ports": [] } @@ -4648,25 +4834,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml", - "Description": "Detects potential network activity of GoToAssist RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml", - "Description": "Detects potential processes activity of GoToAssist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml", + "Description": "Detects potential network activity of Basecamp RMM tool" } ], "References": [ - "https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5" + "basecamp.com - No specific RMM tool listed" ], "Acknowledgement": [] }, { - "Name": "Ericom Connect", - "Description": "Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DesktopNow", + "Description": "DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -4681,8 +4863,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "EricomConnectRemoteHost*.exe", - "ericomconnnectconfigurationtool.exe" + "desktopnow.exe" ] }, "Artifacts": { @@ -4693,8 +4874,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ericom.com" + "*.nchuser.com" ], "Ports": [] } @@ -4702,312 +4882,78 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml", - "Description": "Detects potential network activity of Ericom Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml", + "Description": "Detects potential network activity of DesktopNow RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Ericom Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml", + "Description": "Detects potential processes activity of DesktopNow RMM tool" } ], "References": [ - "https://www.ericom.com/connect-accessnow/" + "https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US" ], "Acknowledgement": [] }, { - "Name": "TeamViewer", - "Description": "TeamViewer is a remote monitoring and management (RMM) tool.\n", - "Author": "Nasreddine Bencherchali, Michael Haag", - "Created": "2024-08-02", - "LastModified": "2024-08-02", + "Name": "DeskShare", + "Description": "DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/26/2024", "Details": { - "Website": "https://www.teamviewer.com/en", - "PEMetadata": [ - { - "Filename": "TeamViewer.exe", - "OriginalFileName": "", - "Description": "", - "Product": "TeamViewer" - } - ], - "Privileges": "user", - "Free": true, - "Verification": false, - "SupportedOS": [ - "Android", - "ChromeOS", - "IOS", - "Linux", - "Mac", - "Windows" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], "Capabilities": [], - "Vulnerabilities": [ - "https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html" - ], + "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\TeamViewer\\", - "teamviewer_desktop.exe", - "teamviewer_service.exe", - "teamviewerhost" + "TeamTaskManager.exe", + "DSGuest.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "TeamViewer\\d\\d_Logfile\\.log", - "Description": "N/A", - "OS": "Windows", - "Type": "Regex" - }, - { - "File": "C:\\Program Files\\TeamViewer\\Connections_incoming.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\TeamViewer\\TVNetwork.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log", - "Description": "N/A", - "OS": "Windows", - "Type": "Regex" - }, - { - "File": "teamviewerqs.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_w32.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_w64.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_x64.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "teamviewer.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "teamviewer_service.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db", - "Description": "SQlite 3 database storing cache about TeamViewer chat", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db", - "Description": "SQlite 3 database storing TeamViewer print jobs", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\TeamViewer\\connections*.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "TeamViewer", - "ImagePath": "\"C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"", - "Description": "Service installation event as result of TeamViewer installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKU\\\\SOFTWARE\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions", - "Description": "N/A" - } - ], - "Network": [ + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.teamviewer.com" + "user_managed" ], "Ports": [] - }, - { - "Description": "N/A", - "Domains": [ - "router15.teamviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "client.teamviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "taf.teamviewer.com" - ], - "Ports": [ - 443 - ] - } - ], - "Other": [ - { - "Type": "Mutex", - "Value": "TeamViewer_LogMutex" - }, - { - "Type": "Mutex", - "Value": "TeamViewerHooks_DynamicMemMutex" - }, - { - "Type": "Mutex", - "Value": "TeamViewer3_Win32_Instance_Mutex" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml", - "Description": "Detects potential registry activity of TeamViewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml", - "Description": "Detects potential network activity of TeamViewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml", - "Description": "Detects potential files activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml", + "Description": "Detects potential network activity of DeskShare RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskShare RMM tool" } ], "References": [ - "https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer", - "https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#", - "https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/", - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", - "https://github.com/Purp1eW0lf/Blue-Team-Notes" + "https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx" ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - } - ] + "Acknowledgement": [] }, { - "Name": "Access Remote PC", - "Description": "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RPort", + "Description": "RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5022,28 +4968,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rpcgrab.exe", - "rpcsetup.exe" + "rport.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "rport.io" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml", - "Description": "Detects potential processes activity of Access Remote PC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml", + "Description": "Detects potential network activity of RPort RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml", + "Description": "Detects potential processes activity of RPort RMM tool" } ], - "References": [], + "References": [ + "https://kb.rport.io/using-the-remote-access" + ], "Acknowledgement": [] }, { - "Name": "SecureCRT", - "Description": "SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SuperPuTTY", + "Description": "SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -5061,9 +5021,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\SecureCRT.EXE", - "*\\SecureCRT.EXE", - "*\\VanDyke Software\\ClientPack\\*" + "C:\\Downloads\\SuperPuTTY\\*", + "*Downloads\\SuperPuTTY\\*", + "*\\superputty.exe", + "*\\SuperPuTTY\\*" ] }, "Artifacts": { @@ -5074,19 +5035,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml", - "Description": "Detects potential processes activity of SecureCRT RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperPuTTY RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Acronic Cyber Protect (Remotix)", - "Description": "Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GatherPlace-desktop sharing", + "Description": "GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5101,9 +5062,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "AcronisCyberProtectConnectQuickAssist*.exe", - "AcronisCyberProtectConnectAgent.exe" - ] + "gp3.exe", + "gp4.exe", + "gp5.exe" + ] }, "Artifacts": { "Disk": [], @@ -5113,10 +5075,9 @@ { "Description": "Known remote domains", "Domains": [ - "cloud.acronis.com", - "agents*-cloud.acronis.com", - "gw.remotix.com", - "connect.acronis.com" + "*.gatherplace.com", + "*.gatherplace.net", + "gatherplace.com" ], "Ports": [] } @@ -5124,22 +5085,114 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml", - "Description": "Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml", - "Description": "Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool" } ], "References": [ - "https://kb.acronis.com/content/47189" + "https://www.gatherplace.com/kb?id=136377" ], "Acknowledgement": [] }, { - "Name": "Sorillus", - "Description": "Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "S3 Browser", + "Description": "S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\S3 Browser\\*", + "*\\S3 Browser\\*", + "*\\s3browser*.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml", + "Description": "Detects potential processes activity of S3 Browser RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "NTR Remote", + "Description": "NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/26/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "NTRsupportPro_EN.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ntrsupport.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml", + "Description": "Detects potential network activity of NTR Remote RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of NTR Remote RMM tool" + } + ], + "References": [ + "DOA as of 2024" + ], + "Acknowledgement": [] + }, + { + "Name": "PSEXEC (Clone)", + "Description": "PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -5157,8 +5210,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Sorillus-Launcher*.exe", - "Sorillus Launcher.exe" + "paexec.exe", + "PAExec-*.exe", + "csexec.exe ", + "remcom.exe", + "remcomsvc.exe", + "xcmd.exe", + "xcmdsvc.exe" ] }, "Artifacts": { @@ -5169,8 +5227,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.sorillus.com", - "sorillus.com" + "user_managed" ], "Ports": [] } @@ -5178,25 +5235,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml", - "Description": "Detects potential network activity of Sorillus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC (Clone) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml", - "Description": "Detects potential processes activity of Sorillus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool" } ], "References": [ - "https://sorillus.com/" + "https://www.poweradmin.com/paexec/" ], "Acknowledgement": [] }, { - "Name": "Barracuda", - "Description": "Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "IntelliAdmin Remote Control", + "Description": "IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -5210,7 +5267,13 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "iadmin.exe", + "intelliadmin.exe", + "agent32.exe", + "agent64.exe", + "agent_setup_5.exe" + ] }, "Artifacts": { "Disk": [], @@ -5220,9 +5283,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.islonline.net", - "rmm.barracudamsp.com", - "barracudamsp.com" + "user_managed", + "*.intelliadmin.com", + "intelliadmin.com/remote-control" ], "Ports": [] } @@ -5230,21 +5293,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml", - "Description": "Detects potential network activity of Barracuda RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool" } ], "References": [ - "https://help.islonline.com/19799/166125" + "intelliadmin.com/remote-control" ], "Acknowledgement": [] }, { - "Name": "DeskDay", - "Description": "DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-Able Advanced Monitoring Agent", + "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5259,7 +5326,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ultimate_*.exe" + "Agent_*_RW.exe", + "BASEClient.exe", + "BASupApp.exe", + "BASupSrvc.exe", + "BASupSrvcCnfg.exe", + "BASupTSHelper.exe" ] }, "Artifacts": { @@ -5270,8 +5342,17 @@ { "Description": "Known remote domains", "Domains": [ - "deskday.ai", - "app.deskday.ai" + "*remote.management", + "*.logicnow.com", + "*systemmonitor.us", + "*systemmonitor.eu.com", + "*system-monitor.com", + "systemmonitor.us.cdn.cloudflare.net", + "*cloudbackup.management", + "*systemmonitor.co.uk", + "*.n-able.com", + "*.beanywhere.com ", + "*.swi-tc.com" ], "Ports": [] } @@ -5279,22 +5360,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml", - "Description": "Detects potential network activity of DeskDay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml", - "Description": "Detects potential processes activity of DeskDay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" } ], "References": [ - "https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate" + "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" ], "Acknowledgement": [] }, { - "Name": "RemoteCall", - "Description": "RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ngrok", + "Description": "ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -5312,13 +5393,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rcengmgru.exe", - "rcmgrsvc.exe", - "rxstartsupport.exe", - "rcstartsupport.exe", - "raautoup.exe", - "agentu.exe", - "remotesupportplayeru.exe" + "ngrok.exe", + "C:\\*\\ngrok.zip", + "*\\ngrok*" ] }, "Artifacts": { @@ -5329,9 +5406,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.remotecall.com", - "*.startsupport.com", - "remotecall.com" + "user_managed", + "ngrok.com" ], "Ports": [] } @@ -5339,23 +5415,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml", - "Description": "Detects potential network activity of RemoteCall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml", + "Description": "Detects potential network activity of ngrok RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteCall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml", + "Description": "Detects potential processes activity of ngrok RMM tool" } ], "References": [ - "https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall" + "https://ngrok.com/docs/guides/running-behind-firewalls/" ], "Acknowledgement": [] }, { - "Name": "Splashtop", - "Description": "Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "Nasreddine Bencherchali", + "Name": "Mocha VNC Lite", + "Description": "Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", "Created": "", "LastModified": "", "Details": { @@ -5372,197 +5448,27 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Splashtop\\*", - "*\\Splashtop\\Splashtop Remote\\Client for RMM\\*", - "strwinclt.exe" + "This installs a modified VNC and cannot be blocked by path separate from VNC", + "This installs a modified VNC and cannot be blocked by path separate from VNC", + "*\\RealVNC\\VNC4\\*" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe", - "Description": "Splashtop Remote Service", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe", - "Description": "SplashTop Remote Agent", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe", - "Description": "Splashtop Updater", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Splashtop Software Updater Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"", - "Description": "Service installation event as result of Splashtop Software Updater Service installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Splashtop® Remote Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", - "Description": "Service installation event as result of Splashtop Remote Service installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "SplashtopRemoteService", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", - "Description": "Service installation event as result of Splashtop Remote Service installation." - } - ], - "Registry": [ - { - "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*", - "Description": "Splashtop Inc. registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", - "Description": "Splashtop Software Updater uninstall key" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService", - "Description": "Splashtop Remote Service registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational", - "Description": "Splashtop Streamer Remote Session event log channel" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational", - "Description": "Splashtop Streamer Status event log channel" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount", - "Description": "Splashtop Software Updater install reference count" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService", - "Description": "Splashtop Remote Service safe boot configuration" - }, - { - "Path": "HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*", - "Description": "Default user Splashtop Inc. registry key" - }, - { - "Path": "HKU\\SID\\Software\\Splashtop Inc.\\*", - "Description": "User-specific Splashtop Inc. registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer", - "Description": "Splashtop PDF Remote Printer configuration" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*", - "Description": "Splashtop Remote Server client information" - } - ], - "Network": [ - { - "Description": "N/A", - "Domains": [ - "*.splashtop.com" - ], - "Ports": [ - "N/A" - ] - } - ] + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml", - "Description": "Detects potential registry activity of Splashtop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml", - "Description": "Detects potential network activity of Splashtop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml", - "Description": "Detects potential files activity of Splashtop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop RMM tool" - } - ], - "References": [ - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html" - ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - } - ] + "Detections": [], + "References": [], + "Acknowledgement": [] }, { - "Name": "ManageEngine RMM Central", - "Description": "ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SkyFex", + "Description": "SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5576,7 +5482,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "Deskroll.exe", + "DeskRollUA.exe" + ] }, "Artifacts": { "Disk": [], @@ -5586,7 +5495,9 @@ { "Description": "Known remote domains", "Domains": [ - "manageengine.com/remote-monitoring-management/" + "skyfex.com", + "deskroll.com", + "*.deskroll.com" ], "Ports": [] } @@ -5594,19 +5505,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml", - "Description": "Detects potential network activity of ManageEngine RMM Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml", + "Description": "Detects potential network activity of SkyFex RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml", + "Description": "Detects potential processes activity of SkyFex RMM tool" } ], - "References": [], + "References": [ + "https://skyfex.com/" + ], "Acknowledgement": [] }, { - "Name": "AeroAdmin", - "Description": "AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Laplink Gold", + "Description": "Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -5621,8 +5538,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "aeroadmin.exe", - "AeroAdmin.exe" + "tsircusr.exe", + "laplink.exe" ] }, "Artifacts": { @@ -5633,8 +5550,8 @@ { "Description": "Known remote domains", "Domains": [ - "auth*.aeroadmin.com", - "aeroadmin.com" + "user_managed", + "wen.laplink.com/product/laplink-gold" ], "Ports": [] } @@ -5642,25 +5559,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml", - "Description": "Detects potential network activity of AeroAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Gold RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml", - "Description": "Detects potential processes activity of AeroAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Gold RMM tool" } ], "References": [ - "https://support.aeroadmin.com/kb/faq.php?id=58" + "wen.laplink.com/product/laplink-gold" ], "Acknowledgement": [] }, { - "Name": "NoMachine", - "Description": "NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pandora RC (eHorus)", + "Description": "Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5675,9 +5592,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nomachine*.exe", - "nxservice*.ese", - "nxd.exe" + "ehorus standalone.exe", + "ehorus_agent.exe" ] }, "Artifacts": { @@ -5688,8 +5604,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "nomachine.com" + "portal.ehorus.com" ], "Ports": [] } @@ -5697,25 +5612,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml", - "Description": "Detects potential network activity of NoMachine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml", + "Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml", - "Description": "Detects potential processes activity of NoMachine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml", + "Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool" } ], "References": [ - "https://kb.nomachine.com/AR04S01122" + "https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction" ], "Acknowledgement": [] }, { - "Name": "UltraVNC", - "Description": "UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FastViewer", + "Description": "FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5730,7 +5645,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "UltraVNC*.exe" + "fastclient.exe", + "fastmaster.exe", + "FastViewer.exe" ] }, "Artifacts": { @@ -5741,8 +5658,8 @@ { "Description": "Known remote domains", "Domains": [ - "ultravnc.com", - "user_managed" + "*.fastviewer.com", + "fastviewer.com" ], "Ports": [] } @@ -5750,25 +5667,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml", - "Description": "Detects potential network activity of UltraVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml", + "Description": "Detects potential network activity of FastViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml", - "Description": "Detects potential processes activity of UltraVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of FastViewer RMM tool" } ], "References": [ - "https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html" + "https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf" ], "Acknowledgement": [] }, { - "Name": "Instant Housecall", - "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "XRDP", + "Description": "XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5782,51 +5699,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "hsloader.exe", - "ihcserver.exe", - "instanthousecall.exe", - "instanthousecall.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.instanthousecall.com", - "*.instanthousecall.net", - "instanthousecall.com", - "secure.instanthousecall.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", - "Description": "Detects potential network activity of Instant Housecall RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", - "Description": "Detects potential processes activity of Instant Housecall RMM tool" - } - ], - "References": [ - "https://instanthousecall.com/features/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "NinjaRMM", - "Description": "NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PuTTY", + "Description": "PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5840,51 +5730,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ninjarmmagent.exe", - "NinjaRMMAgent.exe", - "NinjaRMMAgenPatcher.exe", - "ninjarmm-cli.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.ninjarmm.com", - "*.ninjaone.com", - "resources.ninjarmm.com", - "ninjaone.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml", - "Description": "Detects potential network activity of NinjaRMM RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml", - "Description": "Detects potential processes activity of NinjaRMM RMM tool" - } - ], - "References": [ - "https://www.ninjaone.com/faq/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "ngrok", - "Description": "ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KickIdler", + "Description": "KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -5899,9 +5762,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ngrok.exe", - "C:\\*\\ngrok.zip", - "*\\ngrok*" + "grabberEM.*msi", + "grabberTT*.msi" ] }, "Artifacts": { @@ -5912,8 +5774,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ngrok.com" + "kickidler.com", + "my.kickidler.com" ], "Ports": [] } @@ -5921,25 +5783,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml", - "Description": "Detects potential network activity of ngrok RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml", - "Description": "Detects potential processes activity of ngrok RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml", + "Description": "Detects potential network activity of KickIdler RMM tool" } ], "References": [ - "https://ngrok.com/docs/guides/running-behind-firewalls/" + "https://www.kickidler.com/for-it/faq/" ], "Acknowledgement": [] }, { - "Name": "Bitvise SSH Client", - "Description": "Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tactical RMM", + "Description": "Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -5954,29 +5812,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Bitvise SSH Client\\*", - "*\\Bitvise SSH Client\\*", - "*\\BvSshClient-Inst.exe" + "tacticalrmm.exe", + "tacticalrmm.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "login.tailscale.com", + "login.tailscale.com", + "docs.tacticalrmm.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml", - "Description": "Detects potential processes activity of Bitvise SSH Client RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Tactical RMM RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Tactical RMM RMM tool" } ], - "References": [], + "References": [ + "docs.tacticalrmm.com" + ], "Acknowledgement": [] }, { - "Name": "Chicken (of the VNC)", - "Description": "Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FreeRDP", + "Description": "FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6002,14 +5875,12 @@ "Network": [] }, "Detections": [], - "References": [ - "https://github.com/flit/cotvnc" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "SkyFex", - "Description": "SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteCall", + "Description": "RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -6027,8 +5898,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Deskroll.exe", - "DeskRollUA.exe" + "rcengmgru.exe", + "rcmgrsvc.exe", + "rxstartsupport.exe", + "rcstartsupport.exe", + "raautoup.exe", + "agentu.exe", + "remotesupportplayeru.exe" ] }, "Artifacts": { @@ -6039,9 +5915,9 @@ { "Description": "Known remote domains", "Domains": [ - "skyfex.com", - "deskroll.com", - "*.deskroll.com" + "*.remotecall.com", + "*.startsupport.com", + "remotecall.com" ], "Ports": [] } @@ -6049,25 +5925,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml", - "Description": "Detects potential network activity of SkyFex RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml", + "Description": "Detects potential network activity of RemoteCall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml", - "Description": "Detects potential processes activity of SkyFex RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteCall RMM tool" } ], "References": [ - "https://skyfex.com/" + "https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall" ], "Acknowledgement": [] }, { - "Name": "Ericom AccessNow", - "Description": "Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ZOC", + "Description": "ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6082,85 +5958,134 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "accessserver*.exe", - "accessserver.exe" + "C:\\Program Files\\ZOC8\\*", + "*\\ZOC?\\*", + "*\\zoc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "ericom.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml", - "Description": "Detects potential network activity of Ericom AccessNow RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml", - "Description": "Detects potential processes activity of Ericom AccessNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml", + "Description": "Detects potential processes activity of ZOC RMM tool" } ], - "References": [ - "https://www.ericom.com/connect-accessnow/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Microsoft RDP", - "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", + "Name": "ScreenConnect", + "Description": "ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "Ali Alwashali, Nasreddine Bencherchali", + "Created": "2023-10-01", + "LastModified": "2024-08-03", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Website": "https://www.connectwise.com", + "PEMetadata": [ + { + "Filename": "", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", - "Free": "", + "Free": "14-Days Free Trial", "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "SupportedOS": [ + "Android", + "IOS", + "Linux", + "Mac", + "Windows" + ], + "Capabilities": [ + "Command Line Support", + "File Transfer", + "Install Windows updates", + "Receive notification when user performs a predefined event", + "Remote Command Line", + "Remote Control", + "Sound Capture", + "Start / Stop services", + "View event logs" + ], "Vulnerabilities": [], "InstallationPaths": [ - "termsrv.exe", - "mstsc.exe", - "Microsoft Remote Desktop" + "C:\\Program Files (x86)\\ScreenConnect Client (Random)\\ScreenConnect.ClientService.exe", + "Remote Workforce Client.exe", + "*\\*\\ScreenConnect.ClientService.exe", + "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", + "*\\ScreenConnect Client*\\*", + "*\\*\\ScreenConnect.WindowsClient.exe", + "screenconnect*.exe", + "screenconnect.windowsclient.exe", + "Remote Workforce Client.exe", + "screenconnect*.exe", + "ConnectWiseControl*.exe", + "connectwise*.exe", + "screenconnect.windowsclient.exe", + "screenconnect.clientservice.exe" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db", + "Description": "ScreenConnect session database", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml", + "Description": "ScreenConnect user configuration", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\ScreenConnect Client*\\user.config", + "Description": "ScreenConnect client user configuration", + "OS": "Windows" + } + ], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "control.connectwise.com", + "*.connectwise.com", + "*.screenconnect.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft RDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml", + "Description": "Detects potential network activity of ScreenConnect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml", + "Description": "Detects potential files activity of ScreenConnect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenConnect RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" + "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/" ], "Acknowledgement": [] }, { - "Name": "Royal Server", - "Description": "Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Insync", + "Description": "Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6177,39 +6102,33 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Users\\USERNAME\\AppData\\Roaming\\Insync\\App\\Insync.exe", + "*Users\\*\\AppData\\Roaming\\Insync\\App\\Insync.exe", + "*\\Insync.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "royalapps.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml", - "Description": "Detects potential network activity of Royal Server RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml", + "Description": "Detects potential processes activity of Insync RMM tool" } ], - "References": [ - "https://royalapps.com/server/main/features" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Solar-PuTTY", - "Description": "Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ITSupport247 (ConnectWise)", + "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6224,29 +6143,41 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Solar-Putty-v4\\*", - "*\\Solar-Putty-v4\\*", - "*\\Solar-PuTTY.exe" + "saazapsc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.itsupport247.net" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml", - "Description": "Detects potential processes activity of Solar-PuTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" } ], - "References": [], + "References": [ + "https://control.itsupport247.net/" + ], "Acknowledgement": [] }, { - "Name": "Duplicati", - "Description": "Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeyondTrust", + "Description": "BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6263,10 +6194,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "c:\\Program Files\\*\\Duplicati.Server.exe", - "*\\*\\Duplicati.Server.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -6274,21 +6202,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml", - "Description": "Detects potential processes activity of Duplicati RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Remote Desktop Plus", - "Description": "Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Guacamole", + "Description": "Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6303,7 +6226,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rdp.exe" + "guacd.exe" ] }, "Artifacts": { @@ -6314,7 +6237,8 @@ { "Description": "Known remote domains", "Domains": [ - "donkz.nl" + "user_managed", + "guacamole.apache.org" ], "Ports": [] } @@ -6322,25 +6246,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml", - "Description": "Detects potential network activity of Remote Desktop Plus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml", + "Description": "Detects potential network activity of Guacamole RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Desktop Plus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml", + "Description": "Detects potential processes activity of Guacamole RMM tool" } ], "References": [ - "https://www.donkz.nl/" + "guacamole.apache.org" ], "Acknowledgement": [] }, { - "Name": "ITSupport247 (ConnectWise)", - "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tanium Deploy", + "Description": "Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6354,9 +6278,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "saazapsc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -6366,8 +6288,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.itsupport247.net", - "itsupport247.net" + "tanium.com/products/tanium-deploy" ], "Ports": [] } @@ -6375,25 +6296,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml", + "Description": "Detects potential network activity of Tanium Deploy RMM tool" } ], - "References": [ - "https://control.itsupport247.net/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "DesktopNow", - "Description": "DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "HelpBeam", + "Description": "HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6408,7 +6323,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "desktopnow.exe" + "helpbeam*.exe" ] }, "Artifacts": { @@ -6419,7 +6334,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.nchuser.com" + "helpbeam.software.informer.com" ], "Ports": [] } @@ -6427,22 +6342,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml", - "Description": "Detects potential network activity of DesktopNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml", + "Description": "Detects potential network activity of HelpBeam RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml", - "Description": "Detects potential processes activity of DesktopNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpBeam RMM tool" } ], "References": [ - "https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US" + "https://www.helpbeam.com domain for sale in 2024" ], "Acknowledgement": [] }, { - "Name": "Remmina", - "Description": "Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CarotDAV", + "Description": "CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6459,7 +6374,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\Rei Software\\CarotDAV\\*", + "*\\Rei Software\\CarotDAV\\*", + "*\\CarotDAV.exe" + ] }, "Artifacts": { "Disk": [], @@ -6467,16 +6386,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml", + "Description": "Detects potential processes activity of CarotDAV RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Distant Desktop", - "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal TS", + "Description": "Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6491,9 +6415,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ddsystem.exe", - "dd.exe", - "distant-desktop.exe" + "royalts.exe" ] }, "Artifacts": { @@ -6504,8 +6426,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.distantdesktop.com", - "*signalserver.xyz" + "royalapps.com" ], "Ports": [] } @@ -6513,25 +6434,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Distant Desktop RMM tool" - }, + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml", + "Description": "Detects potential network activity of Royal TS RMM tool" + }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Distant Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal TS RMM tool" } ], - "References": [ - "https://www.distantdesktop.com/manual/first-start.htm" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "DameWare", - "Description": "DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Onionshare", + "Description": "Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6546,49 +6465,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SolarWinds-Dameware-DRS*.exe", - "DameWare Mini Remote Control*.exe", - "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\*", - "dntus*.exe", - "dwrcs.exe", - "*\\dwrcs\\*", - "*\\dwrcst.exe", - "DameWare Remote Support.exe", - "SolarWinds-Dameware-MRC*.exe" + "C:\\Program Files (x86)\\OnionShare\\*", + "*\\OnionShare\\*", + "*\\onionshare*.exe", + "OnionShare-win*.msi" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "dameware.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml", - "Description": "Detects potential network activity of Dameware-mini remote control Protocol RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml", - "Description": "Detects potential processes activity of DameWare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml", + "Description": "Detects potential processes activity of Onionshare RMM tool" } ], - "References": [ - "https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Level", - "Description": "Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PuTTY Tray", + "Description": "PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6605,34 +6505,29 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\*\\puttytray.exe", + "*\\puttytray.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "level.io" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml", - "Description": "Detects potential network activity of Level RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml", + "Description": "Detects potential processes activity of PuTTY Tray RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Insync", - "Description": "Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SmartFTP", + "Description": "SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6650,9 +6545,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\USERNAME\\AppData\\Roaming\\Insync\\App\\Insync.exe", - "*Users\\*\\AppData\\Roaming\\Insync\\App\\Insync.exe", - "*\\Insync.exe" + "C:\\Program Files (x86)\\SmartFTP Client\\en-US\\", + "*\\SmartFTP Client\\*", + "*\\SfShellTools.dll.mui" ] }, "Artifacts": { @@ -6661,28 +6556,31 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml", - "Description": "Detects potential processes activity of Insync RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "ISL Online", - "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", + "Name": "Kaseya (VSA)", + "Description": "Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "PEMetadata": [ + { + "Filename": "agentmon.exe" + }, + { + "Filename": "KaUpdHlp.exe" + }, + { + "Filename": "KaUsrTsk.exe", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", "Free": "", "Verification": "", @@ -6690,26 +6588,102 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "*\\ISLLight.exe", - "isllight.exe", - "ISLLightClient.exe", - "C:\\Program Files (x86)\\ISL Online\\ISL Light*", - "*\\ISL Online\\ISL Light*", - "ISLLight.exe", - "isllightservice.exe", - "islalwaysonmonitor.exe" + "C:\\Program Files (x86)\\Kaseya\\", + "C:\\ProgramData\\Kaseya\\" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*", + "Description": "Kaseya Live Connect logs", + "OS": "Windows" + }, + { + "File": "~/Library/Logs/com.kaseya/KaseyaLiveConnect/*", + "Description": "Kaseya Live Connect logs", + "OS": "MacOS" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*", + "Description": "Kaseya Endpoint logs", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\Kaseya\\*\\agentmon.log", + "Description": "Kaseya Agent Monitor log" + }, + { + "File": "/var/log/system.log", + "Description": "Kaseya Agent Monitor log", + "OS": "MacOS 32bit" + }, + { + "File": " ~/opt/kaseya/*/logs*", + "Description": "Kaseya Agent Monitor log", + "OS": "MacOS 64bit" + }, + { + "File": "C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log", + "Description": "Kaseya Setup log in user temp directory", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Temp\\KASetup.log", + "Description": "Kaseya Setup log in Windows temp directory", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*", + "Description": "Kaseya Edge Services logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.0\\logs\\", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.5\\endpoint\\logs", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.5\\endpoints\\logs", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\", + "Description": "Certificate creation", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\WebPages\\install\\makecert.txt", + "Description": "Certificate creation", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*", + "Description": "Endpoint service logs", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*", + "Description": "Session logs", + "OS": "Windows" + } + ], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.islonline.com", - "*.islonline.net" + "deploy01.kaseya.com", + "*managedsupport.kaseya.net", + "*.kaseya.net", + "kaseya.com" ], "Ports": [] } @@ -6717,25 +6691,28 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", - "Description": "Detects potential network activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml", + "Description": "Detects potential network activity of Kaseya (VSA) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml", + "Description": "Detects potential files activity of Kaseya (VSA) RMM tool" } ], "References": [ - "https://help.islonline.com/19818/165940" + "https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements", + "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations", + "https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/", + "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations" ], "Acknowledgement": [] }, { - "Name": "Remote.it", - "Description": "Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Free Tools Launcher", + "Description": "Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6750,48 +6727,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remote-it-installer.exe", - "remote.it.exe", - "remoteit.exe" + "C:\\Program Files\\ManageEngine\\ManageEngine Free Tools\\Launcher\\*", + "*\\ManageEngine\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "auth.api.remote.it", - "api.remote.it", - "remote.it" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml", - "Description": "Detects potential network activity of Remote.it RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote.it RMM tool" - } - ], - "References": [ - "https://docs.remote.it/introduction/get-started" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Netreo", - "Description": "Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SecureCRT", + "Description": "SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6805,42 +6760,33 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\*\\SecureCRT.EXE", + "*\\SecureCRT.EXE", + "*\\VanDyke Software\\ClientPack\\*" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "charon.netreo.net", - "activation.netreo.net", - "*.api.netreo.com", - "netreo.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml", - "Description": "Detects potential network activity of Netreo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml", + "Description": "Detects potential processes activity of SecureCRT RMM tool" } ], - "References": [ - "https://solutions.netreo.com/docs/firewall-requirements" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "NoteOn-desktop sharing", - "Description": "NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chrome Remote Desktop", + "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -6855,32 +6801,50 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nateon*.exe", - "nateon.exe", - "nateonmain.exe" + "remote_host.exe", + "remoting_host.exe", + "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", + "*\\Google\\Chrome Remote Desktop\\*", + "*\\remoting_host.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*remotedesktop.google.com", + "*remotedesktop-pa.googleapis.com", + "remotedesktop.google.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" } ], - "References": [], + "References": [ + "https://support.google.com/chrome/a/answer/2799701?hl=en" + ], "Acknowledgement": [] }, { - "Name": "Royal TS", - "Description": "Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GetScreen", + "Description": "GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -6895,7 +6859,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "royalts.exe" + "GetScreen.exe", + "getscreen.exe" ] }, "Artifacts": { @@ -6906,7 +6871,9 @@ { "Description": "Known remote domains", "Domains": [ - "royalapps.com" + "getscreen.me", + "GetScreen.me", + "*.getscreen.me" ], "Ports": [] } @@ -6914,23 +6881,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml", - "Description": "Detects potential network activity of Royal TS RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml", + "Description": "Detects potential network activity of GetScreen RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml", - "Description": "Detects potential processes activity of Royal TS RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of GetScreen RMM tool" } ], - "References": [], + "References": [ + "https://docs.getscreen.me/self-hosted/system-requirements/" + ], "Acknowledgement": [] }, { - "Name": "DeskNets", - "Description": "DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "mstsc", + "Description": "mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6944,7 +6913,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Windows\\System32\\mstsc.exe", + "*Windows\\System32\\mstsc.exe" + ] }, "Artifacts": { "Disk": [], @@ -6952,18 +6924,21 @@ "Registry": [], "Network": [] }, - "Detections": [], - "References": [ - "https://www.desknets.com/en/download.html" + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml", + "Description": "Detects potential processes activity of mstsc RMM tool" + } ], + "References": [], "Acknowledgement": [] }, { - "Name": "QQ IM-remote assistance", - "Description": "QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level.io", + "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6978,9 +6953,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "qq.exe", - "QQProtect.exe", - "qqpcmgr.exe" + "level-windows-amd64.exe", + "level.exe", + "level-remote-control-ffmpeg.exe" ] }, "Artifacts": { @@ -6991,10 +6966,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.mdt.qq.com", - "*.desktop.qq.com", - "upload_data.qq.com", - "qq-messenger.en.softonic.com" + "level.io", + "*.level.io" ], "Ports": [] } @@ -7002,25 +6975,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml", - "Description": "Detects potential network activity of QQ IM-remote assistance RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml", - "Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" } ], "References": [ - "https://en.wikipedia.org/wiki/Tencent_QQ" + "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" ], "Acknowledgement": [] }, { - "Name": "PuTTY Tray", - "Description": "PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TigerVNC", + "Description": "TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -7035,28 +7008,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\puttytray.exe", - "*\\puttytray.exe" + "tigervnc*.exe", + "winvnc4.exe", + "C:\\Program Files\\TightVNC\\*", + "*\\TightVNC\\*", + "*\\tvnserver.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml", - "Description": "Detects potential processes activity of PuTTY Tray RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml", + "Description": "Detects potential network activity of TigerVNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TigerVNC RMM tool" } ], - "References": [], + "References": [ + "https://github.com/TigerVNC/tigervnc/releases" + ], "Acknowledgement": [] }, { - "Name": "XRDP", - "Description": "XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Dev Tunnels (aka Visual Studio Dev Tunnel)", + "Description": "Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7079,18 +7069,31 @@ "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml", + "Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "FastViewer", - "Description": "FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Instant Housecall", + "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -7105,9 +7108,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "fastclient.exe", - "fastmaster.exe", - "FastViewer.exe" + "hsloader.exe", + "InstantHousecall.exe", + "ihcserver.exe", + "instanthousecall.exe" ] }, "Artifacts": { @@ -7118,8 +7122,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.fastviewer.com", - "fastviewer.com" + "*.instanthousecall.com", + "secure.instanthousecall.com", + "*.instanthousecall.net", + "instanthousecall.com" ], "Ports": [] } @@ -7127,25 +7133,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml", - "Description": "Detects potential network activity of FastViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of FastViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" } ], "References": [ - "https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf" + "https://instanthousecall.com/features/" ], "Acknowledgement": [] }, { - "Name": "Jump Desktop", - "Description": "Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ScreenMeet", + "Description": "ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -7160,11 +7166,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "jumpclient.exe", - "jumpdesktop.exe", - "jumpservice.exe", - "jumpconnect.exe", - "jumpupdater.exe" + "ScreenMeetSupport.exe", + "ScreenMeet.Support.exe" ] }, "Artifacts": { @@ -7175,10 +7178,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.jumpdesktop.com", - "jumpdesktop.com", - "jumpto.me", - "*.jumpto.me" + "*.screenmeet.com", + "*.scrn.mt" ], "Ports": [] } @@ -7186,25 +7187,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Jump Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml", + "Description": "Detects potential network activity of ScreenMeet RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Jump Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenMeet RMM tool" } ], "References": [ - "https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect" + "https://docs.screenmeet.com/docs/firewall-white-list" ], "Acknowledgement": [] }, { - "Name": "Ivanti Remote Control", - "Description": "Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeAnyWhere", + "Description": "BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -7219,9 +7220,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "IvantiRemoteControl.exe", - "ArcUI.exe", - "AgentlessRC.exe" + "basuptshelper.exe", + "basupsrvcupdate.exe", + "BASupApp.exe", + "BASupSysInf.exe", + "BASupAppSrvc.exe", + "TakeControl.exe", + "BASupAppElev.exe", + "basupsrvc.exe" ] }, "Artifacts": { @@ -7232,7 +7238,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.ivanticloud.com" + "beanywhere.en.uptodown.com/windows", + "beanywhere.com" ], "Ports": [] } @@ -7240,25 +7247,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of Ivanti Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml", + "Description": "Detects potential network activity of BeAnyWhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of Ivanti Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of BeAnyWhere RMM tool" } ], "References": [ - "https://rc1.ivanticloud.com/" + "https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx" ], "Acknowledgement": [] }, { - "Name": "BeInSync", - "Description": "BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ultra VNC", + "Description": "Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7273,45 +7280,34 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Beinsync*.exe" + "C:\\Program Files\\uvnc bvba\\UltraVNC\\*", + "*\\uvnc bvba\\UltraVNC\\*", + "*\\UVNC_Launch.exe", + "*\\winvnc.exe", + "*\\vncviewer.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.beinsync.net", - "*.beinsync.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml", - "Description": "Detects potential network activity of BeInSync RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml", - "Description": "Detects potential processes activity of BeInSync RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of Ultra VNC RMM tool" } ], - "References": [ - "https://en.wikipedia.org/wiki/Phoenix_Technologies" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "NateOn-desktop sharing", - "Description": "NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "JollysFastVNC", + "Description": "JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7325,47 +7321,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "nateon*.exe", - "nateon.exe", - "nateonmain.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.nate.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml", - "Description": "Detects potential network activity of NateOn-desktop sharing RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of NateOn-desktop sharing RMM tool" - } - ], - "References": [ - "http://rsupport.nate.com/rview/r8/main/index.aspx" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Xeox", - "Description": "Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Site24x7", + "Description": "Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -7380,10 +7353,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "xeox-agent_x64.exe", - "xeox_service_windows.exe", - "xeox-agent_*.exe", - "xeox-agent_x86.exe" + "MEAgentHelper.exe", + "MonitoringAgent.exe", + "Site24x7WindowsAgentTrayIcon.exe", + "Site24x7PluginAgent.exe" ] }, "Artifacts": { @@ -7394,8 +7367,12 @@ { "Description": "Known remote domains", "Domains": [ - "*.xeox.com", - "xeox.com" + "plus*.site24x7.com", + "plus*.site24x7.eu", + "plus*.site24x7.in", + "plus*.site24x7.cn", + "plus*.site24x7.net.au", + "site24x7.com/msp" ], "Ports": [] } @@ -7403,22 +7380,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml", - "Description": "Detects potential network activity of Xeox RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml", + "Description": "Detects potential network activity of Site24x7 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml", - "Description": "Detects potential processes activity of Xeox RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml", + "Description": "Detects potential processes activity of Site24x7 RMM tool" } ], "References": [ - "https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW" + "https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent" ], "Acknowledgement": [] }, { - "Name": "WinSCP", - "Description": "WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ManageEngine", + "Description": "ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7436,10 +7413,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\IEUser\\Downloads\\WinSCP-5.21.6-Portable\\*", - "*\\WinSCP*Portable\\*", - "*\\WinSCP.exe", - "*\\WinSCP\\*" + "InstallShield Setup.exe", + "ManageEngine_Remote_Access_Plus.exe", + "*\\dcagentservice.exe", + "C:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\*", + "*\\DesktopCentral_Agent\\bin\\*" ] }, "Artifacts": { @@ -7450,19 +7428,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml", - "Description": "Detects potential processes activity of WinSCP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml", + "Description": "Detects potential processes activity of ManageEngine RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "DW Service", - "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syncro", + "Description": "Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -7477,9 +7455,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dwagsvc.exe", - "dwagent.exe", - "dwagsvc.exe" + "Syncro.Installer.exe", + "Kabuto.App.Runner.exe", + "Syncro.Overmind.Service.exe", + "Kabuto.Installer.exe", + "KabutoSetup.exe", + "Syncro.Service.exe", + "Kabuto.Service.Runner.exe", + "Syncro.App.Runner.exe", + "SyncroLive.Service.exe", + "SyncroLive.Agent.exe" ] }, "Artifacts": { @@ -7490,7 +7475,17 @@ { "Description": "Known remote domains", "Domains": [ - "*.dwservice.net" + "kabuto.io", + "*.syncromsp.com", + "*.syncroapi.com", + "syncromsp.com", + "servably.com", + "ld.aurelius.host", + "app.kabuto.io ", + "*.kabutoservices.com", + "repairshopr.com", + "kabutoservices.com", + "attachments.servably.com" ], "Ports": [] } @@ -7498,25 +7493,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", - "Description": "Detects potential network activity of DW Service RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml", + "Description": "Detects potential network activity of Syncro RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", - "Description": "Detects potential processes activity of DW Service RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncro RMM tool" } ], "References": [ - "https://news.dwservice.net/dwservice-security-infrastructure/" + "https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004" ], "Acknowledgement": [] }, { - "Name": "NTR Remote", - "Description": "NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Utilities", + "Description": "Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7531,7 +7526,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "NTRsupportPro_EN.exe" + "rutview.exe", + "rutserv.exe" ] }, "Artifacts": { @@ -7542,7 +7538,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.ntrsupport.com" + "*.internetid.ru" ], "Ports": [] } @@ -7550,25 +7546,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml", - "Description": "Detects potential network activity of NTR Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml", + "Description": "Detects potential network activity of Remote Utilities RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of NTR Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Utilities RMM tool" } ], "References": [ - "DOA as of 2024" + "https://www.remoteutilities.com/download/" ], "Acknowledgement": [] }, { - "Name": "TurboMeeting", - "Description": "TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft Quick Assist", + "Description": "Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7583,9 +7579,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcstarter.exe", - "turbomeeting.exe", - "turbomeetingstarter.exe" + "quickassist.exe" ] }, "Artifacts": { @@ -7597,7 +7591,7 @@ "Description": "Known remote domains", "Domains": [ "user_managed", - "acceo.com/turbomeeting/" + "*.support.services.microsoft.com" ], "Ports": [] } @@ -7605,22 +7599,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml", - "Description": "Detects potential network activity of TurboMeeting RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Microsoft Quick Assist RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml", - "Description": "Detects potential processes activity of TurboMeeting RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool" } ], "References": [ - "http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv" + "https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca" ], "Acknowledgement": [] }, { - "Name": "RemoteUtilities", - "Description": "RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remmina", + "Description": "Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7637,48 +7631,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "rutview.exe", - "*\\Remote Manipulator System - Server\\*", - "C:\\Program Files\\Remote Utilities\\*", - "*\\Remote Utilities\\*", - "rutserv.exe", - "*\\rutserv.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "remoteutilities.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml", - "Description": "Detects potential network activity of RemoteUtilities RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteUtilities RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Pulseway", - "Description": "Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CrossLoop", + "Description": "CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -7693,8 +7663,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "PCMonitorManager.exe", - "pcmonitorsrv.exe" + "crossloopservice.exe", + "CrossLoopConnect.exe", + "WinVNCStub.exe" ] }, "Artifacts": { @@ -7705,7 +7676,8 @@ { "Description": "Known remote domains", "Domains": [ - "pulseway.com" + "*.crossloop.com", + "crossloop.en.softonic.com" ], "Ports": [] } @@ -7713,25 +7685,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml", - "Description": "Detects potential network activity of Pulseway RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml", + "Description": "Detects potential network activity of CrossLoop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml", - "Description": "Detects potential processes activity of Pulseway RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml", + "Description": "Detects potential processes activity of CrossLoop RMM tool" } ], "References": [ - "https://intercom.help/pulseway/en/" + "www.CrossLoop.com -> redirects to avast.com" ], "Acknowledgement": [] }, { - "Name": "Panorama9", - "Description": "Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ESET Remote Administrator", + "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -7746,7 +7718,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "p9agent*.exe" + "era.exe", + "einstaller.exe", + "ezhelp*.exe", + "eratool.exe", + "ERAAgent.exe" ] }, "Artifacts": { @@ -7757,9 +7733,8 @@ { "Description": "Known remote domains", "Domains": [ - "trusted.panorama9.com", - "changes.panorama9.com", - "panorama9.com" + "user_managed", + "eset.com/me/business/remote-management/remote-administrator/" ], "Ports": [] } @@ -7767,16 +7742,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml", - "Description": "Detects potential network activity of Panorama9 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", + "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml", - "Description": "Detects potential processes activity of Panorama9 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", + "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" } ], "References": [ - "https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with" + "eset.com/me/business/remote-management/remote-administrator/" ], "Acknowledgement": [] }, @@ -8138,42 +8113,11 @@ ] }, { - "Name": "JollysFastVNC", - "Description": "JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "RunSmart", - "Description": "RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NoMachine", + "Description": "NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -8187,7 +8131,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "nomachine*.exe", + "nxservice*.ese", + "nxd.exe" + ] }, "Artifacts": { "Disk": [], @@ -8197,7 +8145,8 @@ { "Description": "Known remote domains", "Domains": [ - "runsmart.io" + "user_managed", + "nomachine.com" ], "Ports": [] } @@ -8205,19 +8154,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml", - "Description": "Detects potential network activity of RunSmart RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml", + "Description": "Detects potential network activity of NoMachine RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml", + "Description": "Detects potential processes activity of NoMachine RMM tool" } ], - "References": [], + "References": [ + "https://kb.nomachine.com/AR04S01122" + ], "Acknowledgement": [] }, { - "Name": "Chrome Remote Desktop", - "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Light", + "Description": "ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -8232,11 +8187,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remote_host.exe", - "remoting_host.exe", - "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", - "*\\Google\\Chrome Remote Desktop\\*", - "*\\remoting_host.exe" + "islalwaysonmonitor.exe", + "isllight.exe", + "isllightservice.exe" ] }, "Artifacts": { @@ -8247,9 +8200,7 @@ { "Description": "Known remote domains", "Domains": [ - "*remotedesktop.google.com", - "*remotedesktop-pa.googleapis.com", - "remotedesktop.google.com" + "islonline.com" ], "Ports": [] } @@ -8257,25 +8208,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml", + "Description": "Detects potential network activity of ISL Light RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Light RMM tool" } ], - "References": [ - "https://support.google.com/chrome/a/answer/2799701?hl=en" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Netviewer (GoToMeet)", - "Description": "Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Yandex.Disk", + "Description": "Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -8290,8 +8239,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nvClient.exe", - "netviewer.exe" + "C:\\Program Files (x86)\\Yandex\\*", + "*\\Yandex\\*", + "*\\YandexDisk2.exe" ] }, "Artifacts": { @@ -8302,18 +8252,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml", - "Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml", + "Description": "Detects potential processes activity of Yandex.Disk RMM tool" } ], - "References": [ - "Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Netviewer", - "Description": "Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ManageEngine RMM Central", + "Description": "ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -8330,10 +8278,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "netviewer*.exe", - "netviewer.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -8343,7 +8288,7 @@ { "Description": "Known remote domains", "Domains": [ - "download.cnet.com/Net-Viewer/3000-2370_4-10034828.html" + "manageengine.com/remote-monitoring-management/" ], "Ports": [] } @@ -8351,23 +8296,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml", - "Description": "Detects potential network activity of Netviewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of Netviewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml", + "Description": "Detects potential network activity of ManageEngine RMM Central RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "ConnectWise Control", - "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Seetrol", + "Description": "Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -8382,9 +8323,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "connectwisechat-customer.exe", - "connectwisecontrol.client.exe", - "screenconnect.windowsclient.exe" + "seetrolcenter.exe", + "seetrolclient.exe", + "seetrolmyservice.exe", + "seetrolremote.exe", + "seetrolsetting.exe" ] }, "Artifacts": { @@ -8395,8 +8338,7 @@ { "Description": "Known remote domains", "Domains": [ - "live.screenconnect.com", - "control.connectwise.com" + "seetrol.co.kr" ], "Ports": [] } @@ -8404,23 +8346,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", - "Description": "Detects potential network activity of ConnectWise Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml", + "Description": "Detects potential network activity of Seetrol RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", - "Description": "Detects potential processes activity of ConnectWise Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml", + "Description": "Detects potential processes activity of Seetrol RMM tool" } ], - "References": [], + "References": [ + "http://www.seetrol.com/en/features/features3.php" + ], "Acknowledgement": [] }, { - "Name": "ExtraPuTTY", - "Description": "ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AweRay", + "Description": "AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -8435,32 +8379,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", - "*Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", - "*\\ExtraPuTTY-0.30-2016-01-28-installer.exe" + "aweray_remote*.exe", + "AweSun.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "asapi*.aweray.net", + "client-api.aweray.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml", - "Description": "Detects potential processes activity of ExtraPuTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml", + "Description": "Detects potential network activity of AweRay RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml", + "Description": "Detects potential processes activity of AweRay RMM tool" } ], - "References": [], + "References": [ + "https://sun.aweray.com/help" + ], "Acknowledgement": [] }, { - "Name": "FleetDeck.io", - "Description": "FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "OCS inventory", + "Description": "OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -8475,11 +8433,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "fleetdeck_agent_svc.exe", - "fleetdeck_commander_svc.exe", - "fleetdeck_installer.exe", - "fleetdeck_commander_launcher.exe", - "fleetdeck_agent.exe" + "ocsinventory.exe", + "ocsservice.exe" ] }, "Artifacts": { @@ -8490,9 +8445,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.fleetdeck.io", - "cognito-idp.us-west-2.amazonaws.com", - "fleetdeck.io" + "user_managed", + "ocsinventory-ng.org" ], "Ports": [] } @@ -8500,25 +8454,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml", - "Description": "Detects potential network activity of FleetDesk.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml", + "Description": "Detects potential network activity of OCS inventory RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml", - "Description": "Detects potential processes activity of FleetDesk.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml", + "Description": "Detects potential processes activity of OCS inventory RMM tool" } ], "References": [ - "https://fleetdeck.io/faq/" + "https://ocsinventory-ng.org/?page_id=878&lang=en" ], "Acknowledgement": [] }, { - "Name": "HelpU", - "Description": "HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoTo Opener", + "Description": "GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -8533,47 +8487,137 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "helpu_install.exe", - "HelpuUpdater.exe", - "HelpuManager.exe" + "C:\\Program Files (x86)\\GoTo Opener", + "*\\GoTo Opener" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "AnyViewer", + "Description": "AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "@kostastsale", + "Created": "2024-08-03", + "LastModified": "2024-08-03", + "Details": { + "Website": "https://www.anyviewer.com/", + "PEMetadata": [ + { + "Filename": "AnyViewer.exe", + "OriginalFileName": "AnyViewer", + "Description": "Splash Window" + }, + { + "Filename": "RCClient.exe", + "OriginalFileName": "RCClient.exe", + "Description": "AnyViewer Core" + }, + { + "Filename": "ScreanCap.exe", + "Description": "Screan capture" + }, + { + "Filename": "AVCore.exe" + }, + { + "Filename": "RCService.exe" + } + ], + "Privileges": "System", + "Free": "up to 10 devices", + "Verification": "None", + "SupportedOS": [ + "Windows" + ], + "Capabilities": [ + "Remote desktop", + "Remote file transfer", + "Remote monitoring and management", + "Remote shell open" + ], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\AnyViewer\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [ + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "\"C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\" -d", + "Description": "Taking actions on the remote machine such as opening a command prompt." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "RCService", + "ImagePath": "C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe", + "Description": "AnyViewer service installation service." + } + ], + "Registry": [], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "helpu.co.kr", - "*.helpu.co.kr" + "*.anyviewer.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.aomeisoftware.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml", - "Description": "Detects potential network activity of HelpU RMM tool" + "Name": "Arbitrary code execution and remote sessions via Action1 RMM", + "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", + "author": "@kostastsale", + "Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml", - "Description": "Detects potential processes activity of HelpU RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml", + "Description": "Detects potential network activity of AnyViewer RMM tool" } ], "References": [ - "https://helpu.co.kr/" + "https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html", + "https://www.anyviewer.com/help/remote-technical-support.html" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "ToDesk", - "Description": "ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NetSupport Manager", + "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -8588,9 +8632,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "todesk.exe", - "ToDesk_Service.exe", - "ToDesk_Setup.exe" + "pcictlui.exe", + "pcicfgui.exe", + "client32.exe" ] }, "Artifacts": { @@ -8601,10 +8645,8 @@ { "Description": "Known remote domains", "Domains": [ - "todesk.com", - "*.todesk.com", - "*.todesk.com", - "todesktop.com" + "*.netsupportmanager.com", + "netsupportmanager.com" ], "Ports": [] } @@ -8612,147 +8654,80 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml", - "Description": "Detects potential network activity of ToDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", + "Description": "Detects potential network activity of NetSupport Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml", - "Description": "Detects potential processes activity of ToDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of NetSupport Manager RMM tool" } ], "References": [ - "https://www.todesk.com/" + "https://www.netsupportmanager.com/resources/" ], "Acknowledgement": [] }, { - "Name": "RAdmin", - "Description": "RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "pcAnywhere", + "Description": "pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", "Details": { - "Website": "https://www.radmin.com/", - "PEMetadata": [ - { - "Filename": "RServer3.exe", - "OriginalFileName": "RServer3.exe", - "InternalName": "RServer3", - "Description": "Radmin Server", - "Product": "Radmin Server", - "Comments": "Radmin - Remote Control Server" - }, - { - "Filename": "Radmin.exe", - "OriginalFileName": "Radmin.exe", - "InternalName": "Radmin", - "Description": "Radmin Viewer", - "Product": "Radmin Viewer", - "Comments": "Radmin Viewer" - } - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [ - "Windows" - ], + "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Radmin Viewer 3\\Radmin.exe", - "C:\\Windows\\SysWOW64\\rserver30\\rserver3.exe", - "C:\\Windows\\SysWOW64\\rserver30\\FamItrfc", - "C:\\Windows\\SysWOW64\\rserver30\\FamItrf2" + "awhost32.exe", + "awrem32.exe", + "pcaquickconnect.exe", + "winaw32.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm", - "Description": "RAdmin log file (32-bit)", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\System32\\rserver30\\Radm_log.htm", - "Description": "RAdmin log file (64-bit)", - "OS": "Windows" - }, + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "File": "C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm", - "Description": "RAdmin chat logs", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm", - "Description": "RAdmin user chat logs", - "OS": "Windows" - } - ], - "EventLog": [], - "Registry": [ - { - "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security", - "Description": "N/A" - } - ], - "Network": [ - { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "radmin.com" + "user_managed" ], - "Ports": [ - 443 - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml", - "Description": "PUA - Radmin Viewer Utility Execution" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml", - "Description": "Enumeration for 3rd Party Creds From CLI" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml", - "Description": "Detects potential registry activity of RAdmin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml", - "Description": "Detects potential network activity of RAdmin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml", - "Description": "Detects potential files activity of RAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml", + "Description": "Detects potential network activity of pcAnywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml", - "Description": "Detects potential processes activity of RAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of pcAnywhere RMM tool" } ], "References": [ - "https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/", - "https://helpdesk.radmin.com/radmin3help/", - "https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm", - "https://helpdesk.radmin.com/radmin3help/files/cmd.htm" + "https://en.wikipedia.org/wiki/PcAnywhere" ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] + "Acknowledgement": [] }, { - "Name": "CrossLoop", - "Description": "CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RES Automation Manager", + "Description": "RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -8767,9 +8742,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "crossloopservice.exe", - "CrossLoopConnect.exe", - "WinVNCStub.exe" + "wisshell*.exe", + "wmc.exe", + "wmc_deployer.exe", + "wmcsvc.exe" ] }, "Artifacts": { @@ -8780,8 +8756,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.crossloop.com", - "crossloop.en.softonic.com" + "user_managed", + "ivanti.com/" ], "Ports": [] } @@ -8789,25 +8765,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml", - "Description": "Detects potential network activity of CrossLoop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml", + "Description": "Detects potential network activity of RES Automation Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml", - "Description": "Detects potential processes activity of CrossLoop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of RES Automation Manager RMM tool" } ], "References": [ - "www.CrossLoop.com -> redirects to avast.com" + "https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1" ], "Acknowledgement": [] }, { - "Name": "Centurion", - "Description": "Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Rocket Remote Desktop", + "Description": "Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -8822,44 +8798,141 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ctiserv.exe" + "RDConsole.exe", + "RocketRemoteDesktop_Setup.exe" ] }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "LogMeIn", + "Description": "LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", + "Details": { + "Website": "https://www.logmein.com/", + "PEMetadata": [ + { + "Filename": "lmiguardiansvc.exe" + }, + { + "Filename": "lmiignition.exe" + }, + { + "Filename": "logmeinsystray.exe" + }, + { + "Filename": "logmein.exe", + "OriginalFileName": "", + "Company": "LogMeIn, Inc.", + "Description": "LMIGuardianSvc", + "Product": "LMIGuardianSvc" + } + ], + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": null + }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "centuriontech.com" + "logmein-gateway.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.logmein.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.logmein.eu" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "logmeinrescue.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.logmeininc.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml", - "Description": "Detects potential network activity of Centurion RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml", + "Description": "DNS Query To Remote Access Software Domain From Non-Browser App" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml", - "Description": "Detects potential processes activity of Centurion RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml", + "Description": "Remote Access Tool - LogMeIn Execution" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn RMM tool" } ], "References": [ - "https://data443.atlassian.net/servicedesk/customer/portal/20" + "https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, { - "Name": "KickIdler", - "Description": "KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Solar-PuTTY", + "Description": "Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -8874,42 +8947,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "grabberEM.*msi", - "grabberTT*.msi" + "C:\\Program Files\\Solar-Putty-v4\\*", + "*\\Solar-Putty-v4\\*", + "*\\Solar-PuTTY.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "kickidler.com", - "my.kickidler.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml", - "Description": "Detects potential network activity of KickIdler RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml", + "Description": "Detects potential processes activity of Solar-PuTTY RMM tool" } ], - "References": [ - "https://www.kickidler.com/for-it/faq/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Syncro", - "Description": "Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SuperOps", + "Description": "SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -8924,17 +8987,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Syncro.Installer.exe", - "Kabuto.App.Runner.exe", - "Syncro.Overmind.Service.exe", - "Kabuto.Installer.exe", - "KabutoSetup.exe", - "Syncro.Service.exe", - "Kabuto.Service.Runner.exe", - "Syncro.App.Runner.exe", - "SyncroLive.Service.exe", - "SyncroLive.Agent.exe" - ] + "superopsticket.exe", + "superops.exe" + ] }, "Artifacts": { "Disk": [], @@ -8944,17 +8999,11 @@ { "Description": "Known remote domains", "Domains": [ - "kabuto.io", - "*.syncromsp.com", - "*.syncroapi.com", - "syncromsp.com", - "servably.com", - "ld.aurelius.host", - "app.kabuto.io ", - "*.kabutoservices.com", - "repairshopr.com", - "kabutoservices.com", - "attachments.servably.com" + "*.superopsbeta.com", + "superops.ai", + "serv.superopsalpha.com", + "*.superops.ai", + "*.superopsalpha.com" ], "Ports": [] } @@ -8962,22 +9011,84 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml", - "Description": "Detects potential network activity of Syncro RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml", + "Description": "Detects potential network activity of SuperOps RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml", - "Description": "Detects potential processes activity of Syncro RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperOps RMM tool" } ], "References": [ - "https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004" + "https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent" ], "Acknowledgement": [] }, { - "Name": "AweRay", - "Description": "AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RealVNC", + "Description": "RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "NordLocker", + "Description": "NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Auvik", + "Description": "Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -8995,8 +9106,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "aweray_remote*.exe", - "AweSun.exe" + "auvik.engine.exe", + "auvik.agent.exe" ] }, "Artifacts": { @@ -9007,8 +9118,9 @@ { "Description": "Known remote domains", "Domains": [ - "asapi*.aweray.net", - "client-api.aweray.com" + "*.my.auvik.com", + "*.auvik.com", + "auvik.com" ], "Ports": [] } @@ -9016,25 +9128,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml", - "Description": "Detects potential network activity of AweRay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml", + "Description": "Detects potential network activity of Auvik RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml", - "Description": "Detects potential processes activity of AweRay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml", + "Description": "Detects potential processes activity of Auvik RMM tool" } ], "References": [ - "https://sun.aweray.com/help" + "https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use" ], "Acknowledgement": [] }, { - "Name": "SunLogin", - "Description": "SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AeroAdmin", + "Description": "AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9049,9 +9161,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "OrayRemoteShell.exe", - "OrayRemoteService.exe", - "sunlogin*.exe" + "aeroadmin.exe", + "AeroAdmin.exe" ] }, "Artifacts": { @@ -9062,8 +9173,8 @@ { "Description": "Known remote domains", "Domains": [ - "sunlogin.oray.com", - "client.oray.net" + "auth*.aeroadmin.com", + "aeroadmin.com" ], "Ports": [] } @@ -9071,22 +9182,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml", - "Description": "Detects potential network activity of SunLogin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml", + "Description": "Detects potential network activity of AeroAdmin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml", - "Description": "Detects potential processes activity of SunLogin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml", + "Description": "Detects potential processes activity of AeroAdmin RMM tool" } ], "References": [ - "https://sunlogin.oray.com/en/embed/software.html" + "https://support.aeroadmin.com/kb/faq.php?id=58" ], "Acknowledgement": [] }, { - "Name": "Koofr", - "Description": "Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop", + "Description": "Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9103,7 +9214,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files\\Danware Data\\NetOp Packn Deploy\\*", + "*\\Danware Data\\NetOp Packn Deploy\\*", + "*\\Netop Remote Control\\*" + ] }, "Artifacts": { "Disk": [], @@ -9116,8 +9231,8 @@ "Acknowledgement": [] }, { - "Name": "SysAid", - "Description": "SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KiTTY", + "Description": "KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9135,10 +9250,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\SysAidServer\\*", - "*\\SysAidServer\\*", - "*\\SysAid\\*", - "*\\IliAS.exe" + "C:\\*\\kitty.exe", + "*\\kitty.exe" ] }, "Artifacts": { @@ -9149,19 +9262,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml", - "Description": "Detects potential processes activity of SysAid RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml", + "Description": "Detects potential processes activity of KiTTY RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Neturo", - "Description": "Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level", + "Description": "Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9175,11 +9288,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "neturo*.exe", - "ntrntservice.exe", - "neturo.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -9189,7 +9298,7 @@ { "Description": "Known remote domains", "Domains": [ - "neturo.uplus.co.kr" + "level.io" ], "Ports": [] } @@ -9197,25 +9306,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml", - "Description": "Detects potential network activity of Neturo RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml", - "Description": "Detects potential processes activity of Neturo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml", + "Description": "Detects potential network activity of Level RMM tool" } ], - "References": [ - "Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "SmarTTY", - "Description": "SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudFlare Tunnel", + "Description": "CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9230,29 +9333,41 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "c:\\Program Files (x86)\\Sysprogs\\SmarTTY\\*", - "*\\Sysprogs\\SmarTTY\\*", - "*\\SmarTTY.exe" + "cloudflared.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "cloudflare.com/products/tunnel/" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml", - "Description": "Detects potential processes activity of SmarTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of CloudFlare Tunnel RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool" } ], - "References": [], + "References": [ + "cloudflare.com/products/tunnel/" + ], "Acknowledgement": [] }, { - "Name": "Impero Connect", - "Description": "Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MEGAsync", + "Description": "MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9270,42 +9385,35 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ImperoClientSVC.exe" + "C:\\Users\\*\\AppData\\Local\\MEGAsync\\*", + "*Users\\*\\AppData\\Local\\MEGAsync\\*", + "*Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "*ProgramData\\MEGAsync\\*", + "*\\MEGAsyncSetup64.exe", + "*\\MEGAupdater.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "imperosoftware.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml", - "Description": "Detects potential network activity of Impero Connect RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Impero Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml", + "Description": "Detects potential processes activity of MEGAsync RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "247ithelp.com (ConnectWise)", - "Description": "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xshell", + "Description": "Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9320,7 +9428,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Remote Workforce Client.exe" + "C:\\Program Files (x86)\\NetSarang\\xShell\\*", + "*\\NetSarang\\xShell\\*", + "*\\xShell.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml", + "Description": "Detects potential processes activity of Xshell RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Naverisk", + "Description": "Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "AgentSetup-*.exe" ] }, "Artifacts": { @@ -9331,7 +9479,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.247ithelp.com" + "user_managed", + "naverisk.com" ], "Ports": [] } @@ -9339,25 +9488,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml", + "Description": "Detects potential network activity of Naverisk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml", + "Description": "Detects potential processes activity of Naverisk RMM tool" } ], "References": [ - "Similar / replaced by ScreenConnect" + "http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents" ], "Acknowledgement": [] }, { - "Name": "Remobo", - "Description": "Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Mikogo", + "Description": "Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9372,9 +9521,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remobo.exe", - "remobo_client.exe", - "remobo_tracker.exe" + "mikogo.exe", + "mikogo-starter.exe", + "mikogo-service.exe", + "mikogolauncher.exe", + "C:\\Users\\*\\AppData\\Roaming\\Mikogo\\*", + "*Users\\*\\AppData\\Roaming\\Mikogo\\*", + "*\\Mikogo-Service.exe", + "*\\Mikogo-Screen-Service.exe" ] }, "Artifacts": { @@ -9385,8 +9539,10 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "remobo.en.softonic.com" + "*.real-time-collaboration.com", + "*.mikogo4.com", + "*.mikogo.com", + "mikogo.com" ], "Ports": [] } @@ -9394,25 +9550,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml", - "Description": "Detects potential network activity of Remobo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml", + "Description": "Detects potential network activity of Mikogo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml", - "Description": "Detects potential processes activity of Remobo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml", + "Description": "Detects potential processes activity of Mikogo RMM tool" } ], "References": [ - "https://www.remobo.com - DOA as of 2024" + "https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services" ], "Acknowledgement": [] }, { - "Name": "Free Tools Launcher", - "Description": "Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PSEXEC", + "Description": "PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -9427,26 +9583,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\ManageEngine\\ManageEngine Free Tools\\Launcher\\*", - "*\\ManageEngine\\*" + "psexec.exe", + "psexecsvc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC RMM tool" + } + ], + "References": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" + ], "Acknowledgement": [] }, { - "Name": "Echoware", - "Description": "Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteUtilities", + "Description": "RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9461,31 +9636,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "echoserver*.exe", - "echoware.dll" + "rutview.exe", + "*\\Remote Manipulator System - Server\\*", + "C:\\Program Files\\Remote Utilities\\*", + "*\\Remote Utilities\\*", + "rutserv.exe", + "*\\rutserv.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "remoteutilities.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml", - "Description": "Detects potential processes activity of Echoware RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml", + "Description": "Detects potential network activity of RemoteUtilities RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteUtilities RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Zoho Assist", - "Description": "Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Panorama9", + "Description": "Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -9500,16 +9691,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zaservice.exe", - "ZMAgent.exe", - "C:\\*\\ZA_Access.exe", - "ZohoMeeting.exe", - "Zohours.exe", - "zohotray.exe", - "ZohoURSService.exe", - "*\\ZA_Access.exe", - "Zaservice.exe", - "za_connect.exe" + "p9agent*.exe" ] }, "Artifacts": { @@ -9520,19 +9702,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.zoho.com.au", - "*.zohoassist.jp", - "assist.zoho.com", - "zoho.com/assist/", - "*.zoho.in", - "downloads.zohodl.com.cn", - "*.zohoassist.com", - "downloads.zohocdn.com", - "gateway.zohoassist.com", - "*.zohoassist.com.cn", - "*.zoho.com.cn", - "*.zoho.com", - "*.zoho.eu" + "trusted.panorama9.com", + "changes.panorama9.com", + "panorama9.com" ], "Ports": [] } @@ -9540,25 +9712,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml", - "Description": "Detects potential network activity of Zoho Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml", + "Description": "Detects potential network activity of Panorama9 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Zoho Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml", + "Description": "Detects potential processes activity of Panorama9 RMM tool" } ], "References": [ - "https://www.zoho.com/assist/kb/firewall-configuration.html" + "https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with" ], "Acknowledgement": [] }, { - "Name": "KiTTY", - "Description": "KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WebEx (Remote Access)", + "Description": "WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -9572,10 +9744,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\*\\kitty.exe", - "*\\kitty.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -9583,18 +9752,15 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml", - "Description": "Detects potential processes activity of KiTTY RMM tool" - } + "Detections": [], + "References": [ + "https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access" ], - "References": [], "Acknowledgement": [] }, { - "Name": "SimpleHelp", - "Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pcnow", + "Description": "Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -9612,11 +9778,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "simplehelpcustomer.exe", - "simpleservice.exe", - "simplegatewayservice.exe", - "remote access.exe", - "windowslauncher.exe" + "mwcliun.exe", + "pcnmgr.exe", + "webexpcnow.exe" ] }, "Artifacts": { @@ -9627,8 +9791,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "simple-help.com" + "au.pcmag.com/utilities/21470/webex-pcnow" ], "Ports": [] } @@ -9636,25 +9799,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml", - "Description": "Detects potential network activity of SimpleHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml", + "Description": "Detects potential network activity of Pcnow RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml", - "Description": "Detects potential processes activity of SimpleHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcnow RMM tool" } ], "References": [ - "https://simple-help.com/remote-support" + "http://pcnow.webex.com/ - DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "CloudFlare Tunnel", - "Description": "CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MyIVO", + "Description": "MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -9669,7 +9832,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "cloudflared.exe" + "myivomgr.exe", + "myivomanager.exe" ] }, "Artifacts": { @@ -9680,7 +9844,7 @@ { "Description": "Known remote domains", "Domains": [ - "cloudflare.com/products/tunnel/" + "myivo-server.software.informer.com" ], "Ports": [] } @@ -9688,59 +9852,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml", - "Description": "Detects potential network activity of CloudFlare Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml", + "Description": "Detects potential network activity of MyIVO RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml", - "Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml", + "Description": "Detects potential processes activity of MyIVO RMM tool" } ], "References": [ - "cloudflare.com/products/tunnel/" + "myivo.com - DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "GoTo Opener", - "Description": "GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\GoTo Opener", - "*\\GoTo Opener" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Pcvisit", - "Description": "Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Addigy", + "Description": "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -9755,10 +9885,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcvisit.exe", - "pcvisit_client.exe", - "pcvisit-easysupport.exe", - "pcvisit_service_client.exe" + "addigy-*.pkg" ] }, "Artifacts": { @@ -9769,8 +9896,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.pcvisit.de", - "pcvisit.de" + "prod.addigy.com", + "grtmprod.addigy.com", + "agents.addigy.com" ], "Ports": [] } @@ -9778,22 +9906,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml", - "Description": "Detects potential network activity of Pcvisit RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml", - "Description": "Detects potential processes activity of Pcvisit RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml", + "Description": "Detects potential network activity of Addigy RMM tool" } ], "References": [ - "https://www.pcvisit.de/" + "https://addigy.com/" ], "Acknowledgement": [] }, { - "Name": "Mocha VNC Lite", - "Description": "Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WinSCP", + "Description": "WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9811,9 +9935,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "This installs a modified VNC and cannot be blocked by path separate from VNC", - "This installs a modified VNC and cannot be blocked by path separate from VNC", - "*\\RealVNC\\VNC4\\*" + "C:\\Users\\IEUser\\Downloads\\WinSCP-5.21.6-Portable\\*", + "*\\WinSCP*Portable\\*", + "*\\WinSCP.exe", + "*\\WinSCP\\*" ] }, "Artifacts": { @@ -9822,16 +9947,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml", + "Description": "Detects potential processes activity of WinSCP RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Laplink Gold", - "Description": "Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netreo", + "Description": "Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -9845,10 +9975,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "tsircusr.exe", - "laplink.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -9858,8 +9985,10 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "wen.laplink.com/product/laplink-gold" + "charon.netreo.net", + "activation.netreo.net", + "*.api.netreo.com", + "netreo.com" ], "Ports": [] } @@ -9867,25 +9996,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml", - "Description": "Detects potential network activity of Laplink Gold RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml", - "Description": "Detects potential processes activity of Laplink Gold RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml", + "Description": "Detects potential network activity of Netreo RMM tool" } ], "References": [ - "wen.laplink.com/product/laplink-gold" + "https://solutions.netreo.com/docs/firewall-requirements" ], "Acknowledgement": [] }, { - "Name": "Iperius Remote", - "Description": "Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "rdp2tcp", + "Description": "rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -9900,8 +10025,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iperius.exe", - "iperiusremote.exe" + "tdp2tcp.exe", + "rdp2tcp.py" ] }, "Artifacts": { @@ -9912,10 +10037,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.iperiusremote.com", - "*.iperius.com", - "*.iperius-rs.com", - "iperiusremote.com" + "user_managed", + "github.com/V-E-O/rdp2tcp" ], "Ports": [] } @@ -9923,25 +10046,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml", - "Description": "Detects potential network activity of Iperius Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml", + "Description": "Detects potential network activity of rdp2tcp RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of Iperius Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml", + "Description": "Detects potential processes activity of rdp2tcp RMM tool" } ], "References": [ - "https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx" + "github.com/V-E-O/rdp2tcp" ], "Acknowledgement": [] }, { - "Name": "BeamYourScreen", - "Description": "BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeInSync", + "Description": "BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -9956,8 +10079,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "beamyourscreen.exe", - "beamyourscreen-host.exe" + "Beinsync*.exe" ] }, "Artifacts": { @@ -9968,8 +10090,8 @@ { "Description": "Known remote domains", "Domains": [ - "beamyourscreen.com", - "*.beamyourscreen.com" + "*.beinsync.net", + "*.beinsync.com" ], "Ports": [] } @@ -9977,25 +10099,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml", - "Description": "Detects potential network activity of BeamYourScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml", + "Description": "Detects potential network activity of BeInSync RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml", - "Description": "Detects potential processes activity of BeamYourScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml", + "Description": "Detects potential processes activity of BeInSync RMM tool" } ], "References": [ - "beamyourscreen redirects to https://www.mikogo.com/" + "https://en.wikipedia.org/wiki/Phoenix_Technologies" ], "Acknowledgement": [] }, { - "Name": "TeleDesktop", - "Description": "TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FixMe.it", + "Description": "FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -10010,9 +10132,17 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pstlaunch.exe", - "ptdskclient.exe", - "ptdskhost.exe" + "FixMeit Client.exe", + "TiExpertStandalone.exe", + "FixMeitClient*.exe", + "TiExpertCore.exe", + "FixMeit Unattended Access Setup.exe", + "FixMeit Expert Setup.exe", + "TiExpertCore.exe", + "fixmeitclient.exe", + "TiClientCore.exe", + "TiClientHelper*.exe", + "9380CC75B872221A7425D7503565B67580407F60" ] }, "Artifacts": { @@ -10023,8 +10153,11 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "tele-desk.com" + "*.fixme.it", + "*.techinline.net", + "fixme.it", + "*set.me", + "*setme.net" ], "Ports": [] } @@ -10032,25 +10165,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml", - "Description": "Detects potential network activity of TeleDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml", + "Description": "Detects potential network activity of FixMe RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml", - "Description": "Detects potential processes activity of TeleDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml", + "Description": "Detects potential processes activity of FixMe RMM tool" } ], - "References": [ - "http://potomacsoft.com/ - DOA as of 2024" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Parallels Access", - "Description": "Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SunLogin", + "Description": "SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -10065,11 +10196,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "parallelsaccess-*.exe", - "TSClient.exe", - "prl_deskctl_agent.exe", - "prl_deskctl_wizard.exe", - "prl_pm_service.exe" + "OrayRemoteShell.exe", + "OrayRemoteService.exe", + "sunlogin*.exe" ] }, "Artifacts": { @@ -10080,8 +10209,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.parallels.com", - "parallels.com/products/ras/try" + "sunlogin.oray.com", + "client.oray.net" ], "Ports": [] } @@ -10089,25 +10218,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml", - "Description": "Detects potential network activity of Parallels Access RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml", + "Description": "Detects potential network activity of SunLogin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml", - "Description": "Detects potential processes activity of Parallels Access RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml", + "Description": "Detects potential processes activity of SunLogin RMM tool" } ], "References": [ - "https://kb.parallels.com/en/129097" + "https://sunlogin.oray.com/en/embed/software.html" ], "Acknowledgement": [] }, { - "Name": "Basecamp", - "Description": "Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "VNC", + "Description": "VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -10121,7 +10250,15 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "winvnc*.exe", + "vncserver.exe", + "winwvc.exe", + "winvncsc.exe", + "vncserverui.exe", + "vncviewer.exe", + "winvnc.exe" + ] }, "Artifacts": { "Disk": [], @@ -10131,7 +10268,8 @@ { "Description": "Known remote domains", "Domains": [ - "basecamp.com" + "user_managed", + "realvnc.com/en/connect/download/vnc" ], "Ports": [] } @@ -10139,21 +10277,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml", - "Description": "Detects potential network activity of Basecamp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml", + "Description": "Detects potential network activity of VNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of VNC RMM tool" } ], "References": [ - "basecamp.com - No specific RMM tool listed" + "https://realvnc.com/en/connect/download/vnc" ], "Acknowledgement": [] }, { - "Name": "Weezo", - "Description": "Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MioNet (Also known as WD Anywhere Access)", + "Description": "MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10168,9 +10310,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "weezohttpd.exe", - "weezo.exe", - "weezo setup*.exe" + "mionet.exe", + "mionetmanager.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Ericom Connect", + "Description": "Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "EricomConnectRemoteHost*.exe", + "ericomconnnectconfigurationtool.exe" ] }, "Artifacts": { @@ -10181,10 +10361,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.weezo.me", - "weezo.net", - "*.weezo.net", - "weezo.en.softonic.com" + "user_managed", + "ericom.com" ], "Ports": [] } @@ -10192,25 +10370,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml", - "Description": "Detects potential network activity of Weezo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml", + "Description": "Detects potential network activity of Ericom Connect RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml", - "Description": "Detects potential processes activity of Weezo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom Connect RMM tool" } ], "References": [ - "weezo.en.softonic.com" + "https://www.ericom.com/connect-accessnow/" ], "Acknowledgement": [] }, { - "Name": "X2Go", - "Description": "X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Synergy", + "Description": "Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -10230,20 +10408,33 @@ "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml", + "Description": "Detects potential network activity of Synergy RMM tool" + } + ], "References": [ - "https://wiki.x2go.org/doku.php" + "https://symless.com/synergy" ], "Acknowledgement": [] }, { - "Name": "Dev Tunnels (aka Visual Studio Dev Tunnel)", - "Description": "Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CrossTec Remote Control", + "Description": "CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -10257,7 +10448,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "PCIVIDEO.EXE", + "supporttool.exe" + ] }, "Artifacts": { "Disk": [], @@ -10267,7 +10461,8 @@ { "Description": "Known remote domains", "Domains": [ - "learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview" + "user_managed", + "crosstecsoftware.com/remotecontrol" ], "Ports": [] } @@ -10275,19 +10470,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml", - "Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of CrossTec Remote Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of CrossTec Remote Control RMM tool" } ], - "References": [], + "References": [ + "www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024" + ], "Acknowledgement": [] }, { - "Name": "Connectwise Automate (LabTech)", - "Description": "Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RunSmart", + "Description": "RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10301,11 +10502,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ltsvc.exe", - "ltsvcmon.exe", - "lttray.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -10315,7 +10512,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.hostedrmm.com" + "runsmart.io" ], "Ports": [] } @@ -10323,25 +10520,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml", - "Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml", - "Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml", + "Description": "Detects potential network activity of RunSmart RMM tool" } ], - "References": [ - "https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Splashtop (Beta)", - "Description": "Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GotoHTTP", + "Description": "GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10356,10 +10547,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SRServer.exe", - "SplashtopSOS.exe", - "Splashtop_Streamer_Windows*.exe", - "SRManager.exe" + "GotoHTTP_x64.exe", + "gotohttp.exe", + "GotoHTTP*.exe" ] }, "Artifacts": { @@ -10370,7 +10560,8 @@ { "Description": "Known remote domains", "Domains": [ - "splashtop.com" + "*.gotohttp.com", + "gotohttp.com" ], "Ports": [] } @@ -10378,23 +10569,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml", - "Description": "Detects potential network activity of Splashtop (Beta) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml", + "Description": "Detects potential network activity of GotoHTTP RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop (Beta) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml", + "Description": "Detects potential processes activity of GotoHTTP RMM tool" } ], - "References": [], + "References": [ + "https://gotohttp.com/goto/help.12x" + ], "Acknowledgement": [] }, { - "Name": "Netop", - "Description": "Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SimpleHelp", + "Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -10409,42 +10602,56 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Danware Data\\NetOp Packn Deploy\\*", - "*\\Danware Data\\NetOp Packn Deploy\\*", - "*\\Netop Remote Control\\*" + "simplehelpcustomer.exe", + "simpleservice.exe", + "simplegatewayservice.exe", + "remote access.exe", + "windowslauncher.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "simple-help.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml", + "Description": "Detects potential network activity of SimpleHelp RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml", + "Description": "Detects potential processes activity of SimpleHelp RMM tool" + } + ], + "References": [ + "https://simple-help.com/remote-support" + ], "Acknowledgement": [] }, { - "Name": "Kaseya (VSA)", - "Description": "Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "rdpwrap", + "Description": "rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", "Details": { "Website": "", - "PEMetadata": [ - { - "Filename": "agentmon.exe" - }, - { - "Filename": "KaUpdHlp.exe" - }, - { - "Filename": "KaUsrTsk.exe", - "OriginalFileName": "", - "Description": "" - } - ], + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", @@ -10452,102 +10659,21 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Kaseya\\", - "C:\\ProgramData\\Kaseya\\" + "RDPWInst.exe", + "RDPCheck.exe", + "RDPConf.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*", - "Description": "Kaseya Live Connect logs", - "OS": "Windows" - }, - { - "File": "~/Library/Logs/com.kaseya/KaseyaLiveConnect/*", - "Description": "Kaseya Live Connect logs", - "OS": "MacOS" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*", - "Description": "Kaseya Endpoint logs", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\Kaseya\\*\\agentmon.log", - "Description": "Kaseya Agent Monitor log" - }, - { - "File": "/var/log/system.log", - "Description": "Kaseya Agent Monitor log", - "OS": "MacOS 32bit" - }, - { - "File": " ~/opt/kaseya/*/logs*", - "Description": "Kaseya Agent Monitor log", - "OS": "MacOS 64bit" - }, - { - "File": "C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log", - "Description": "Kaseya Setup log in user temp directory", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Temp\\KASetup.log", - "Description": "Kaseya Setup log in Windows temp directory", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*", - "Description": "Kaseya Edge Services logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.0\\logs\\", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.5\\endpoint\\logs", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.5\\endpoints\\logs", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\", - "Description": "Certificate creation", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\WebPages\\install\\makecert.txt", - "Description": "Certificate creation", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*", - "Description": "Endpoint service logs", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*", - "Description": "Session logs", - "OS": "Windows" - } - ], - "EventLog": [], - "Registry": [], - "Network": [ + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { "Description": "Known remote domains", "Domains": [ - "deploy01.kaseya.com", - "*managedsupport.kaseya.net", - "*.kaseya.net", - "kaseya.com" + "user_managed", + "github.com/stascorp/rdpwrap" ], "Ports": [] } @@ -10555,25 +10681,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml", - "Description": "Detects potential network activity of Kaseya (VSA) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml", + "Description": "Detects potential network activity of rdpwrap RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml", - "Description": "Detects potential files activity of Kaseya (VSA) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml", + "Description": "Detects potential processes activity of rdpwrap RMM tool" } ], "References": [ - "https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements", - "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations", - "https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/", - "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations" + "github.com/stascorp/rdpwrap" ], "Acknowledgement": [] }, { - "Name": "HelpBeam", - "Description": "HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Laplink Everywhere", + "Description": "Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -10591,7 +10714,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "helpbeam*.exe" + "laplink.exe", + "laplink-everywhere-setup*.exe", + "laplinkeverywhere.exe", + "llrcservice.exe", + "serverproxyservice.exe", + "OOSysAgent.exe" ] }, "Artifacts": { @@ -10602,7 +10730,9 @@ { "Description": "Known remote domains", "Domains": [ - "helpbeam.software.informer.com" + "everywhere.laplink.com", + "le.laplink.com", + "atled.syspectr.com" ], "Ports": [] } @@ -10610,25 +10740,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml", - "Description": "Detects potential network activity of HelpBeam RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Everywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml", - "Description": "Detects potential processes activity of HelpBeam RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Everywhere RMM tool" } ], "References": [ - "https://www.helpbeam.com domain for sale in 2024" + "https://everywhere.laplink.com/docs" ], "Acknowledgement": [] }, { - "Name": "Quest KACE Agent (formerly Dell KACE)", - "Description": "Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Adobe Connect", + "Description": "Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -10643,7 +10773,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "konea.exe" + "ConnectAppSetup*.exe", + "ConnectShellSetup*.exe", + "Connect.exe", + "ConnectDetector.exe" ] }, "Artifacts": { @@ -10654,8 +10787,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.kace.com", - "www.quest.com/kace/" + "*.adobeconnect.com" ], "Ports": [] } @@ -10663,25 +10795,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml", - "Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml", + "Description": "Detects potential network activity of Adobe Connect RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml", - "Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Adobe Connect RMM tool" } ], "References": [ - "https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function" + "https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html" ], "Acknowledgement": [] }, { - "Name": "DeskShare", - "Description": "DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ITSupport247 (ConnectWise)", + "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10696,8 +10828,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "TeamTaskManager.exe", - "DSGuest.exe" + "saazapsc.exe" ] }, "Artifacts": { @@ -10708,7 +10839,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "*.itsupport247.net", + "itsupport247.net" ], "Ports": [] } @@ -10716,22 +10848,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml", - "Description": "Detects potential network activity of DeskShare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml", - "Description": "Detects potential processes activity of DeskShare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" } ], "References": [ - "https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx" + "https://control.itsupport247.net/" ], "Acknowledgement": [] }, { - "Name": "rdpwrap", - "Description": "rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MioNet (WD Anywhere Access)", + "Description": "MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -10749,44 +10881,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "RDPWInst.exe", - "RDPCheck.exe", - "RDPConf.exe" + "mionet.exe", + "mionetmanager.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "github.com/stascorp/rdpwrap" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml", - "Description": "Detects potential network activity of rdpwrap RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml", - "Description": "Detects potential processes activity of rdpwrap RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool" } ], "References": [ - "github.com/stascorp/rdpwrap" + "https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016" ], "Acknowledgement": [] }, { - "Name": "Total Software Deployment", - "Description": "Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syncthing", + "Description": "Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10804,10 +10922,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\ProgramData\\Total Software Deployment\\*", - "*\\Total Software Deployment\\*", - "*\\tniwinagent.exe", - "*\\Tsdservice.exe" + "C:\\Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", + "*Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", + "*\\Syncthing.exe" ] }, "Artifacts": { @@ -10818,19 +10935,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml", - "Description": "Detects potential processes activity of Total Software Deployment RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncthing RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "PuTTY", - "Description": "PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "EMCO Remote Console", + "Description": "EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -10844,21 +10961,41 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "remoteconsole.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "emcosoftware.com" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml", + "Description": "Detects potential network activity of EMCO Remote Console RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml", + "Description": "Detects potential processes activity of EMCO Remote Console RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "RDPView", - "Description": "RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ServerEye", + "Description": "ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -10876,7 +11013,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dwrcs.exe" + "servereye*.exe", + "ServiceProxyLocalSys.exe" ] }, "Artifacts": { @@ -10887,8 +11025,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "systemmanager.ru/dntu.en/rdp_view.htm" + "*.server-eye.de" ], "Ports": [] } @@ -10896,22 +11033,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml", - "Description": "Detects potential network activity of RDPView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml", + "Description": "Detects potential network activity of ServerEye RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml", - "Description": "Detects potential processes activity of RDPView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml", + "Description": "Detects potential processes activity of ServerEye RMM tool" } ], "References": [ - "systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware" + "https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf" ], "Acknowledgement": [] }, { - "Name": "Fortra", - "Description": "Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Anyplace Control", + "Description": "Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -10928,7 +11065,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "apc_host.exe" + ] }, "Artifacts": { "Disk": [], @@ -10938,7 +11077,7 @@ { "Description": "Known remote domains", "Domains": [ - "fortra.com" + "anyplace-control.com" ], "Ports": [] } @@ -10946,21 +11085,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml", - "Description": "Detects potential network activity of Fortra RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml", + "Description": "Detects potential network activity of Anyplace Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Anyplace Control RMM tool" } ], "References": [ - "https://www.fortra.com - No free/cloud RMM softwars listed" + "http://www.anyplace-control.com/anyplace-control/help/faq.htm" ], "Acknowledgement": [] }, { - "Name": "ISL Light", - "Description": "ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ShowMyPC", + "Description": "ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -10975,9 +11118,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "islalwaysonmonitor.exe", - "isllight.exe", - "isllightservice.exe" + "SMPCSetup.exe", + "showmypc*.exe", + "showmypc.exe", + "smpcsetup.exe" ] }, "Artifacts": { @@ -10988,7 +11132,8 @@ { "Description": "Known remote domains", "Domains": [ - "islonline.com" + "*.showmypc.com", + "showmypc.com" ], "Ports": [] } @@ -10996,23 +11141,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml", - "Description": "Detects potential network activity of ISL Light RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml", + "Description": "Detects potential network activity of ShowMyPC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Light RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml", + "Description": "Detects potential processes activity of ShowMyPC RMM tool" } ], - "References": [], + "References": [ + "https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf" + ], "Acknowledgement": [] }, { - "Name": "Pocket Controller (Soti Xsight)", - "Description": "Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal Server", + "Description": "Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11026,11 +11173,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "pocketcontroller.exe", - "wysebrowser.exe", - "XSightService.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -11040,7 +11183,7 @@ { "Description": "Known remote domains", "Domains": [ - "*soti.net" + "royalapps.com" ], "Ports": [] } @@ -11048,25 +11191,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml", - "Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml", + "Description": "Detects potential network activity of Royal Server RMM tool" } ], "References": [ - "https://pulse.soti.net/support/soti-xsight/help/" + "https://royalapps.com/server/main/features" ], "Acknowledgement": [] }, { - "Name": "GatherPlace-desktop sharing", - "Description": "GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remobo", + "Description": "Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -11081,9 +11220,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "gp3.exe", - "gp4.exe", - "gp5.exe" + "remobo.exe", + "remobo_client.exe", + "remobo_tracker.exe" ] }, "Artifacts": { @@ -11094,9 +11233,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.gatherplace.com", - "*.gatherplace.net", - "gatherplace.com" + "user_managed", + "remobo.en.softonic.com" ], "Ports": [] } @@ -11104,25 +11242,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml", - "Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml", + "Description": "Detects potential network activity of Remobo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml", + "Description": "Detects potential processes activity of Remobo RMM tool" } ], "References": [ - "https://www.gatherplace.com/kb?id=136377" + "https://www.remobo.com - DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "Site24x7", - "Description": "Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tailscale", + "Description": "Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -11137,10 +11275,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "MEAgentHelper.exe", - "MonitoringAgent.exe", - "Site24x7WindowsAgentTrayIcon.exe", - "Site24x7PluginAgent.exe" + "tailscale-*.exe", + "tailscaled.exe", + "tailscale-ipn.exe" ] }, "Artifacts": { @@ -11151,12 +11288,9 @@ { "Description": "Known remote domains", "Domains": [ - "plus*.site24x7.com", - "plus*.site24x7.eu", - "plus*.site24x7.in", - "plus*.site24x7.cn", - "plus*.site24x7.net.au", - "site24x7.com/msp" + "*.tailscale.com", + "*.tailscale.io", + "tailscale.com" ], "Ports": [] } @@ -11164,86 +11298,49 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml", - "Description": "Detects potential network activity of Site24x7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml", + "Description": "Detects potential network activity of Tailscale RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml", - "Description": "Detects potential processes activity of Site24x7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml", + "Description": "Detects potential processes activity of Tailscale RMM tool" } ], "References": [ - "https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent" + "https://tailscale.com/kb/1023/troubleshooting" ], "Acknowledgement": [] }, { - "Name": "MeshCentral", - "Description": "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", - "Author": "@kostastsale", - "Created": "2024-09-20", - "LastModified": "2024-09-20", + "Name": "Electric AI (Kaseya)", + "Description": "Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", "Details": { - "Website": "https://meshcentral.com/", + "Website": "", "PEMetadata": { - "Filename": "MeshAgent.exe", + "Filename": "", "OriginalFileName": "", - "Description": "MeshCentral Background Service Agent" + "Description": "" }, - "Privileges": "SYSTEM", - "Free": "Yes", - "Verification": "N/A", - "SupportedOS": [ - "Windows", - "Linux", - "MacOS", - "FreeBSD" - ], - "Capabilities": [ - "Remote Desktop & Terminal", - "Remote File Access", - "Text and Voice Chat", - "Server File Storage", - "Real-time User interface", - "Port Forwarding" - ], - "Vulnerabilities": [ - "CVE-2024-26135" - ], - "InstallationPaths": [ - "meshcentral*.exe", - "meshagent*.exe" - ] + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe", - "Description": "Local MeshAgent service binary after installation", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh", - "Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Mesh Agent background service", - "ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"", - "Description": "Service installation event as result of MeshAgent installation." - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "meshcentral.com" + "electric.ai" ], "Ports": [] } @@ -11251,205 +11348,188 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml", - "Description": "Detects potential network activity of MeshCentral RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", - "Description": "Detects potential processes activity of MeshCentral RMM tool" - }, - { - "Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml", - "Description": "Detects MeshAgent Command Execution via MeshCentral" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml", + "Description": "Detects potential network activity of Electric RMM tool" } ], "References": [ - "https://ylianst.github.io/MeshCentral/meshcentral/", - "https://github.com/Ylianst/MeshAgent" + "https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf" ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] + "Acknowledgement": [] }, { - "Name": "MSP360", - "Description": "MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", + "Name": "Action1", + "Description": "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. \nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n", + "Author": "@kostastsale", + "Created": "2024-08-03", + "LastModified": "2024-10-06", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "Online Backup.exe", - "CBBackupPlan.exe", - "Cloud.Backup.Scheduler.exe", - "Cloud.Backup.RM.Service.exe", - "cbb.exe", - "CloudRaService.exe", - "CloudRaSd.exe", - "CloudRaCmd.exe", - "CloudRaUtilities.exe", - "Remote Desktop.exe", - "Connect.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.cloudberrylab.com", - "*.msp360.com", - "*.mspbackups.com", - "msp360.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml", - "Description": "Detects potential network activity of MSP360 RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml", - "Description": "Detects potential processes activity of MSP360 RMM tool" - } - ], - "References": [ - "https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#" - ], - "Acknowledgement": [] - }, - { - "Name": "ScreenConnect", - "Description": "ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "Ali Alwashali, Nasreddine Bencherchali", - "Created": "2023-10-01", - "LastModified": "2024-08-03", - "Details": { - "Website": "https://www.connectwise.com", + "Website": "https://www.action1.com/", "PEMetadata": [ { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Filename": "action1_connector.exe" + }, + { + "Filename": "action1_remote.exe" + }, + { + "Filename": "action1_update.exe" + }, + { + "Filename": "action1_agent.exe", + "OriginalFileName": "action1_agent.exe", + "Description": "Endpoint Agent" } ], - "Privileges": "", - "Free": "14-Days Free Trial", - "Verification": "", + "Privileges": "SYSTEM", + "Free": "Yes", + "Verification": "Corporate email required although temporary email services are accepted", "SupportedOS": [ - "Android", - "IOS", - "Linux", - "Mac", "Windows" ], "Capabilities": [ - "Command Line Support", - "File Transfer", - "Install Windows updates", - "Receive notification when user performs a predefined event", - "Remote Command Line", - "Remote Control", - "Sound Capture", - "Start / Stop services", - "View event logs" + "Backup and disaster recovery", + "Billing and invoicing", + "Customer portal", + "HelpDesk and ticketing", + "Mobile app", + "Network discovery", + "Patch management", + "Remote monitoring and management", + "Reporting and analytics" ], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\ScreenConnect Client (Random)\\ScreenConnect.ClientService.exe", - "Remote Workforce Client.exe", - "*\\*\\ScreenConnect.ClientService.exe", - "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", - "*\\ScreenConnect Client*\\*", - "*\\*\\ScreenConnect.WindowsClient.exe", - "screenconnect*.exe", - "screenconnect.windowsclient.exe", - "Remote Workforce Client.exe", - "screenconnect*.exe", - "ConnectWiseControl*.exe", - "connectwise*.exe", - "screenconnect.windowsclient.exe", - "screenconnect.clientservice.exe" + "C:\\Windows\\Action1\\*" ] }, "Artifacts": { "Disk": [ { - "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db", - "Description": "ScreenConnect session database", + "File": "C:\\Windows\\Action1\\action1_agent.exe", + "Description": "Action1 service binary", "OS": "Windows" }, { - "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml", - "Description": "ScreenConnect user configuration", + "File": "C:\\Windows\\Action1\\*", + "Description": "Multiple files and binaries related to Action1 installation", "OS": "Windows" }, { - "File": "C:\\ProgramData\\ScreenConnect Client*\\user.config", - "Description": "ScreenConnect client user configuration", + "File": "C:\\Windows\\Action1\\scripts\\*", + "Description": "Multiple scripts related to Action1 installation", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\rule_data\\*", + "Description": "Files related to Action1 rules", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\action1_log_*.log", + "Description": "Contains history, errors, system notifications. Incoming and outgoing connections.", "OS": "Windows" } ], - "EventLog": [], - "Registry": [], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "A1Agent", + "ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"", + "Description": "Service installation event as result of Action1 installation." + }, + { + "EventID": 4697, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "ServiceName": "A1Agent", + "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service", + "Description": "Service installation event as result of Action1 installation." + }, + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser", + "Description": "Executing command to get logged on user." + } + ], + "Registry": [ + { + "Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent", + "Description": "Service installation event as result of Action1 installation." + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe", + "Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software." + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1", + "Description": "Storing its configuration settings and other relevant information" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "control.connectwise.com", - "*.connectwise.com", - "*.screenconnect.com" + "*.action1.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "a1-backend-packages.s3.amazonaws.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml", - "Description": "Detects potential network activity of ScreenConnect RMM tool" + "Name": "Arbitrary code execution and remote sessions via Action1 RMM", + "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", + "author": "@kostastsale", + "Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml", - "Description": "Detects potential files activity of ScreenConnect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml", + "Description": "Detects potential registry activity of Action1 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml", - "Description": "Detects potential processes activity of ScreenConnect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml", + "Description": "Detects potential network activity of Action1 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml", + "Description": "Detects potential files activity of Action1 RMM tool" } ], "References": [ - "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/" + "https://www.action1.com/documentation/firewall-configuration/", + "https://www.action1.com/documentation/", + "https://twitter.com/Kostastsale/status/1646256901506605063?s=20", + "https://ruler-project.github.io/ruler-project/RULER/remote/Action1/" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "Microsoft TSC", - "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Koofr", + "Description": "Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11463,10 +11543,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "termsrv.exe", - "mstsc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -11474,15 +11551,8 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft TSC RMM tool" - } - ], - "References": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { @@ -11543,8 +11613,8 @@ "Acknowledgement": [] }, { - "Name": "Ultra VNC", - "Description": "Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MultCloud", + "Description": "MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -11562,11 +11632,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\uvnc bvba\\UltraVNC\\*", - "*\\uvnc bvba\\UltraVNC\\*", - "*\\UVNC_Launch.exe", - "*\\winvnc.exe", - "*\\vncviewer.exe" + "requires sign up", + "requires sign up" ] }, "Artifacts": { @@ -11575,18 +11642,67 @@ "Registry": [], "Network": [] }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Ericom AccessNow", + "Description": "Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "accessserver*.exe", + "accessserver.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "ericom.com" + ], + "Ports": [] + } + ] + }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml", - "Description": "Detects potential processes activity of Ultra VNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml", + "Description": "Detects potential network activity of Ericom AccessNow RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom AccessNow RMM tool" } ], - "References": [], + "References": [ + "https://www.ericom.com/connect-accessnow/" + ], "Acknowledgement": [] }, { - "Name": "Remote Manipulator System", - "Description": "Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "mRemoteNG", + "Description": "mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -11604,20 +11720,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rfusclient.exe", - "rutserv.exe" + "mRemoteNG.exe", + "C:\\Program Files (x86)\\mRemoteNG\\*", + "*\\mRemoteNG\\*", + "*\\mRemoteNG.exe", + "c:\\Program Files (x86)%\\mRemoteNG", + "*%\\mRemoteNG", + "mRemoteNG-Installer-*.msi", + "*\\mRemoteNG.exe" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log", + "Description": "mRemoteNG log file", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml", + "Description": "mRemoteNG configuration file", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config", + "Description": "mRemoteNG user configuration file", + "OS": "Windows" + } + ], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.internetid.ru", - "rmansys.ru" + "user_managed", + "mremoteng.org" ], "Ports": [] } @@ -11625,25 +11763,29 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml", - "Description": "Detects potential network activity of Remote Manipulator System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml", + "Description": "Detects potential network activity of mRemoteNG RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Manipulator System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml", + "Description": "Detects potential files activity of mRemoteNG RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml", + "Description": "Detects potential processes activity of mRemoteNG RMM tool" } ], "References": [ - "https://rmansys.ru/files/" + "https://github.com/mRemoteNG/mRemoteNG" ], "Acknowledgement": [] }, { - "Name": "Domotz", - "Description": "Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "eHorus", + "Description": "eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11658,12 +11800,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "domotz.exe", - "Domotz Pro Desktop App.exe", - "domotz_bash.exe", - "domotz*.exe", - "Domotz Pro Desktop App Setup*.exe", - "domotz-windows*.exe" + "ehorus standalone.exe" ] }, "Artifacts": { @@ -11674,9 +11811,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.domotz.co", - "domotz.com", - "*cell-1.domotz.com" + "ehorus.com" ], "Ports": [] } @@ -11684,25 +11819,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml", - "Description": "Detects potential network activity of Domotz RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml", + "Description": "Detects potential network activity of eHorus RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml", - "Description": "Detects potential processes activity of Domotz RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml", + "Description": "Detects potential processes activity of eHorus RMM tool" } ], - "References": [ - "https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "FixMe.it", - "Description": "FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "I'm InTouch", + "Description": "I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -11717,17 +11850,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "FixMeit Client.exe", - "TiExpertStandalone.exe", - "FixMeitClient*.exe", - "TiExpertCore.exe", - "FixMeit Unattended Access Setup.exe", - "FixMeit Expert Setup.exe", - "TiExpertCore.exe", - "fixmeitclient.exe", - "TiClientCore.exe", - "TiClientHelper*.exe", - "9380CC75B872221A7425D7503565B67580407F60" + "iit.exe", + "intouch.exe", + "I'm InTouch Go Installer.exe" ] }, "Artifacts": { @@ -11738,11 +11863,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.fixme.it", - "*.techinline.net", - "fixme.it", - "*set.me", - "*setme.net" + "*.01com.com", + "01com.com/imintouch-remote-pc-desktop" ], "Ports": [] } @@ -11750,23 +11872,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml", - "Description": "Detects potential network activity of FixMe RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml", + "Description": "Detects potential network activity of I'm InTouch RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml", - "Description": "Detects potential processes activity of FixMe RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml", + "Description": "Detects potential processes activity of I'm InTouch RMM tool" } ], - "References": [], + "References": [ + "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" + ], "Acknowledgement": [] }, { - "Name": "Tanium Deploy", - "Description": "Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Comodo RMM", + "Description": "Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -11780,7 +11904,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "itsmagent.exe", + "rviewer.exe" + ] }, "Artifacts": { "Disk": [], @@ -11790,7 +11917,9 @@ { "Description": "Known remote domains", "Domains": [ - "tanium.com/products/tanium-deploy" + "*.itsm-us1.comodo.com", + "*mdmsupport.comodo.com", + "one.comodo.com" ], "Ports": [] } @@ -11798,19 +11927,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml", - "Description": "Detects potential network activity of Tanium Deploy RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Comodo RMM RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Comodo RMM RMM tool" } ], - "References": [], + "References": [ + "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" + ], "Acknowledgement": [] }, { - "Name": "N-ABLE Remote Access Software", - "Description": "N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Jump Cloud", + "Description": "Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -11824,7 +11959,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "JumpCloud*.exe " + ] }, "Artifacts": { "Disk": [], @@ -11834,7 +11971,8 @@ { "Description": "Known remote domains", "Domains": [ - "n-able.com" + "*.api.jumpcloud.com", + "*.assist.jumpcloud.com" ], "Ports": [] } @@ -11842,19 +11980,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml", - "Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml", + "Description": "Detects potential network activity of Jump Cloud RMM tool" } ], - "References": [], + "References": [ + "https://jumpcloud.com/support/understand-remote-assist-agent" + ], "Acknowledgement": [] }, { - "Name": "Quick Assist", - "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Parallels Access", + "Description": "Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -11869,7 +12009,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "quickassist.exe" + "parallelsaccess-*.exe", + "TSClient.exe", + "prl_deskctl_agent.exe", + "prl_deskctl_wizard.exe", + "prl_pm_service.exe" ] }, "Artifacts": { @@ -11880,7 +12024,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.support.services.microsoft.com" + "*.parallels.com", + "parallels.com/products/ras/try" ], "Ports": [] } @@ -11888,131 +12033,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml", - "Description": "Detects potential network activity of Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml", + "Description": "Detects potential network activity of Parallels Access RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml", + "Description": "Detects potential processes activity of Parallels Access RMM tool" } ], - "References": [], + "References": [ + "https://kb.parallels.com/en/129097" + ], "Acknowledgement": [] }, { - "Name": "AnyViewer", - "Description": "AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "@kostastsale", - "Created": "2024-08-03", - "LastModified": "2024-08-03", - "Details": { - "Website": "https://www.anyviewer.com/", - "PEMetadata": [ - { - "Filename": "AnyViewer.exe", - "OriginalFileName": "AnyViewer", - "Description": "Splash Window" - }, - { - "Filename": "RCClient.exe", - "OriginalFileName": "RCClient.exe", - "Description": "AnyViewer Core" - }, - { - "Filename": "ScreanCap.exe", - "Description": "Screan capture" - }, - { - "Filename": "AVCore.exe" - }, - { - "Filename": "RCService.exe" - } - ], - "Privileges": "System", - "Free": "up to 10 devices", - "Verification": "None", - "SupportedOS": [ - "Windows" - ], - "Capabilities": [ - "Remote desktop", - "Remote file transfer", - "Remote monitoring and management", - "Remote shell open" - ], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\AnyViewer\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [ - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "\"C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\" -d", - "Description": "Taking actions on the remote machine such as opening a command prompt." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "RCService", - "ImagePath": "C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe", - "Description": "AnyViewer service installation service." - } - ], - "Registry": [], - "Network": [ - { - "Description": "N/A", - "Domains": [ - "*.anyviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.aomeisoftware.com" - ], - "Ports": [ - 443 - ] - } - ] - }, - "Detections": [ - { - "Name": "Arbitrary code execution and remote sessions via Action1 RMM", - "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", - "author": "@kostastsale", - "Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml", - "Description": "Detects potential network activity of AnyViewer RMM tool" - } - ], - "References": [ - "https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html", - "https://www.anyviewer.com/help/remote-technical-support.html" - ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] - }, - { - "Name": "Naverisk", - "Description": "Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemotePC", + "Description": "RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -12030,7 +12066,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "AgentSetup-*.exe" + "C:\\Program Files (x86)\\RemotePC\\*", + "Idrive.File-Transfer", + "*\\RemotePC\\*", + "remotepcservice.exe", + "RemotePC.exe", + "remotepchost.exe", + "idrive.RemotePCAgent", + "rpcsuite.exe", + "*\\RemotePCService.exe", + "RemotePCService.exe" ] }, "Artifacts": { @@ -12041,8 +12086,10 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "naverisk.com" + "*.remotedesktop.com", + "*.remotepc.com", + "www.remotepc.com", + "remotepc.com" ], "Ports": [] } @@ -12050,141 +12097,158 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml", - "Description": "Detects potential network activity of Naverisk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml", - "Description": "Detects potential processes activity of Naverisk RMM tool" - } - ], - "References": [ - "http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents" - ], - "Acknowledgement": [] - }, - { - "Name": "Addigy", - "Description": "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/27/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml", + "Description": "Detects potential network activity of RemotePC RMM tool" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "addigy-*.pkg" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "prod.addigy.com", - "grtmprod.addigy.com", - "agents.addigy.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml", - "Description": "Detects potential network activity of Addigy RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePC RMM tool" } ], "References": [ - "https://addigy.com/" + "https://www.remotedesktop.com/helpdesk/faq-firewall" ], "Acknowledgement": [] }, { - "Name": "Action1", - "Description": "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. \nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n", - "Author": "@kostastsale", - "Created": "2024-08-03", + "Name": "AnyDesk", + "Category": "RMM", + "Description": "AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams.\n", + "Author": "Ali Alwashali, Nasreddine Bencherchali", + "Created": "2023-09-29", "LastModified": "2024-10-06", "Details": { - "Website": "https://www.action1.com/", + "Website": "https://anydesk.com/en", "PEMetadata": [ { - "Filename": "action1_connector.exe" - }, - { - "Filename": "action1_remote.exe" - }, - { - "Filename": "action1_update.exe" - }, - { - "Filename": "action1_agent.exe", - "OriginalFileName": "action1_agent.exe", - "Description": "Endpoint Agent" + "Filename": "anydesk.exe", + "OriginalFileName": "AnyDesk.exe", + "Description": "AnyDesk", + "Product": "AnyDesk" } ], - "Privileges": "SYSTEM", - "Free": "Yes", - "Verification": "Corporate email required although temporary email services are accepted", + "Privileges": "User", + "Free": true, + "Verification": false, "SupportedOS": [ + "Android", + "ChromeOS", + "IOS", + "Linux", + "Mac", "Windows" ], "Capabilities": [ - "Backup and disaster recovery", - "Billing and invoicing", - "Customer portal", - "HelpDesk and ticketing", - "Mobile app", - "Network discovery", - "Patch management", - "Remote monitoring and management", - "Reporting and analytics" + "File Transfer", + "File System Access", + "Remote Control", + "GUI Support", + "Command line Support" + ], + "Vulnerabilities": [ + "https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html" ], - "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Windows\\Action1\\*" + "C:\\Program Files (x86)\\AnyDesk\\*", + "C:\\Program Files\\AnyDesk\\*" ] }, "Artifacts": { "Disk": [ { - "File": "C:\\Windows\\Action1\\action1_agent.exe", - "Description": "Action1 service binary", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\*", - "Description": "Multiple files and binaries related to Action1 installation", - "OS": "Windows" + "File": "%programdata%\\AnyDesk\\ad_svc.trace", + "Description": "AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.", + "OS": "Windows", + "Example": [ + "info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798" + ] }, { - "File": "C:\\Windows\\Action1\\scripts\\*", - "Description": "Multiple scripts related to Action1 installation", + "File": "%programdata%\\AnyDesk\\connection_trace.txt", + "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", + "OS": "Windows", + "Example": [ + "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", + "Incoming 2022-09-28, 12:39 User 442226597 442226597" + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\connection_trace.txt", + "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", + "OS": "Windows", + "Example": [ + "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", + "Incoming 2022-09-28, 12:39 User 442226597 442226597" + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\ad.trace", + "Description": "AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.", + "OS": "Windows", + "Example": [ + "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).", + "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0." + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\chat\\*.txt", + "Description": "If the chat functionality is used, its entries will be printed in a text file in this folder.", "OS": "Windows" }, { - "File": "C:\\Windows\\Action1\\rule_data\\*", - "Description": "Files related to Action1 rules", + "File": "%APPDATA%\\AnyDesk\\user.conf", + "Description": "N/A", "OS": "Windows" }, { - "File": "C:\\Windows\\Action1\\action1_log_*.log", - "Description": "Contains history, errors, system notifications. Incoming and outgoing connections.", + "File": "%PROGRAMDATA%\\AnyDesk\\service.conf", + "Description": "Password can be set to auto-validate the session. The password will be saved in a salted hash format.", "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\service.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\system.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\AnyDesk\\system.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "~/Library/Application Support/AnyDesk/Logs/", + "Description": "N/A", + "OS": "Mac" + }, + { + "File": "~/.config/AnyDesk/Logs/", + "Description": "N/A", + "OS": "Linux" } ], "EventLog": [ @@ -12192,45 +12256,67 @@ "EventID": 7045, "ProviderName": "Service Control Manager", "LogFile": "System.evtx", - "ServiceName": "A1Agent", - "ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"", - "Description": "Service installation event as result of Action1 installation." + "ServiceName": "AnyDesk Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", + "Description": "Service installation event as result of AnyDesk installation." }, { "EventID": 4697, "ProviderName": "Microsoft-Security-Auditing", "LogFile": "Security.evtx", - "ServiceName": "A1Agent", - "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service", - "Description": "Service installation event as result of Action1 installation." - }, - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser", - "Description": "Executing command to get logged on user." + "ServiceName": "AnyDesk Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", + "Description": "Service installation event as result of AnyDesk installation." } ], "Registry": [ { - "Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent", - "Description": "Service installation event as result of Action1 installation." + "Path": "HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk", + "Description": "N/A" }, { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe", - "Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software." + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk", + "Description": "N/A" }, { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1", - "Description": "Storing its configuration settings and other relevant information" + "Path": "HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk", + "Description": "N/A" } ], "Network": [ + { + "Description": "During setup the boot.net.anydesk.com domain is request over port 443", + "Domains": [ + "boot.net.anydesk.com" + ], + "Ports": [ + 443 + ] + }, { "Description": "N/A", "Domains": [ - "*.action1.com" + "relay-[a-f0-9]{8}.net.anydesk.com:443" ], "Ports": [ 443 @@ -12239,250 +12325,81 @@ { "Description": "N/A", "Domains": [ - "a1-backend-packages.s3.amazonaws.com" + "*.anydesk.com" ], "Ports": [ 443 ] } + ], + "Other": [ + { + "Type": "User-Agent", + "Value": "AnyDesk/*" + }, + { + "Type": "NamedPipe", + "Value": "adprinterpipe" + } ] }, "Detections": [ { - "Name": "Arbitrary code execution and remote sessions via Action1 RMM", - "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", - "author": "@kostastsale", - "Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml", + "Description": "Anydesk Remote Access Software Service Installation" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml", - "Description": "Detects potential registry activity of Action1 RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml", + "Description": "N/A" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml", - "Description": "Detects potential network activity of Action1 RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml", + "Description": "N/A" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml", - "Description": "Detects potential files activity of Action1 RMM tool" - } - ], - "References": [ - "https://www.action1.com/documentation/firewall-configuration/", - "https://www.action1.com/documentation/", - "https://twitter.com/Kostastsale/status/1646256901506605063?s=20", - "https://ruler-project.github.io/ruler-project/RULER/remote/Action1/" - ], - "Acknowledgement": [ + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml", + "Description": "Remote Access Tool - AnyDesk Silent Installation" + }, { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] - }, - { - "Name": "AliWangWang-remote-control", - "Description": "AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml", + "Description": "Detects potential registry activity of AnyDesk RMM tool" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "alitask.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "wangwang.taobao.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml", - "Description": "Detects potential network activity of AliWangWang-remote-control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml", + "Description": "Detects potential network activity of AnyDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml", - "Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml", + "Description": "Detects potential files activity of AnyDesk RMM tool" } ], "References": [ - "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" + "https://support.anydesk.com/knowledge/firewall", + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", + "https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk", + "https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/" ], - "Acknowledgement": [] - }, - { - "Name": "FreeRDP", - "Description": "FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "MioNet (Also known as WD Anywhere Access)", - "Description": "MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "mionet.exe", - "mionetmanager.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ + "Acknowledgement": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml", - "Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "SmartCode Web VNC", - "Description": "SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Person": "Théo Letailleur", + "Handle": "in/theosyn" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\TightVNC\\*", - "*\\TightVNC\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Onionshare", - "Description": "Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + { + "Person": "Ali Alwashali", + "Handle": "@ali_alwashali" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\OnionShare\\*", - "*\\OnionShare\\*", - "*\\onionshare*.exe", - "OnionShare-win*.msi" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml", - "Description": "Detects potential processes activity of Onionshare RMM tool" + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" } - ], - "References": [], - "Acknowledgement": [] + ] }, { - "Name": "Rocket Remote Desktop", - "Description": "Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RDPView", + "Description": "RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12497,31 +12414,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "RDConsole.exe", - "RocketRemoteDesktop_Setup.exe" + "dwrcs.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "systemmanager.ru/dntu.en/rdp_view.htm" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml", + "Description": "Detects potential network activity of RDPView RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml", + "Description": "Detects potential processes activity of RDPView RMM tool" } ], - "References": [], + "References": [ + "systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware" + ], "Acknowledgement": [] }, { - "Name": "WebRDP", - "Description": "WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal Apps", + "Description": "Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12536,7 +12467,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "webrdp.exe" + "royalserver.exe", + "royalts.exe" ] }, "Artifacts": { @@ -12547,8 +12479,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/Mikej81/WebRDP" + "user_managed" ], "Ports": [] } @@ -12556,25 +12487,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml", - "Description": "Detects potential network activity of WebRDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml", + "Description": "Detects potential network activity of Royal Apps RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml", - "Description": "Detects potential processes activity of WebRDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal Apps RMM tool" } ], "References": [ - "github.com/Mikej81/WebRDP" + "https://www.royalapps.com/ts/win/download" ], "Acknowledgement": [] }, { - "Name": "BeyondTrust", - "Description": "BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TeleDesktop", + "Description": "TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -12588,24 +12519,48 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "pstlaunch.exe", + "ptdskclient.exe", + "ptdskhost.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "tele-desk.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml", + "Description": "Detects potential network activity of TeleDesktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of TeleDesktop RMM tool" + } + ], + "References": [ + "http://potomacsoft.com/ - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "SuperOps", - "Description": "SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RustDesk", + "Description": "RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12620,8 +12575,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "superopsticket.exe", - "superops.exe" + "rustdesk*.exe", + "rustdesk.exe" ] }, "Artifacts": { @@ -12632,11 +12587,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.superopsbeta.com", - "superops.ai", - "serv.superopsalpha.com", - "*.superops.ai", - "*.superopsalpha.com" + "rustdesk.com", + "user_managed", + "web.rustdesk.com" ], "Ports": [] } @@ -12644,25 +12597,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml", - "Description": "Detects potential network activity of SuperOps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml", + "Description": "Detects potential network activity of RustDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml", - "Description": "Detects potential processes activity of SuperOps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of RustDesk RMM tool" } ], "References": [ - "https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent" + "https://rustdesk.com/docs/en/" ], "Acknowledgement": [] }, { - "Name": "RemotePass", - "Description": "RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Rapid7", + "Description": "Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -12677,9 +12630,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remotepass-access.exe", - "rpaccess.exe", - "rpwhostscr.exe" + "ir_agent.exe", + "rapid7_agent_core.exe", + "rapid7_endpoint_broker.exe" ] }, "Artifacts": { @@ -12690,7 +12643,8 @@ { "Description": "Known remote domains", "Domains": [ - "remotepass.com" + "*.analytics.insight.rapid7.com", + "*.endpoint.ingress.rapid7.com" ], "Ports": [] } @@ -12698,25 +12652,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml", - "Description": "Detects potential network activity of RemotePass RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml", + "Description": "Detects potential network activity of Rapid7 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml", - "Description": "Detects potential processes activity of RemotePass RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml", + "Description": "Detects potential processes activity of Rapid7 RMM tool" } ], "References": [ - "https://www.remotepass.com/rpaccess.html - DOA as of 2024" + "https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/" ], "Acknowledgement": [] }, { - "Name": "Itarian", - "Description": "Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MobaXterm", + "Description": "MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12731,16 +12685,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ITSMAgent.exe", - "RViewer.exe", - "ItsmRsp.exe", - "RAccess.exe", - "RmmService.exe", - "ITarianRemoteAccessSetup.exe", - "RDesktop.exe", - "ComodoRemoteControl.exe", - "ITSMService.exe", - "RHost.exe" + "C:\\*\\MobaXterm_installer_12.1.msi", + "*\\MobaXterm_installer_*.msi", + "*\\Mobatek\\MobaXterm\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Sophos-Remote Management System", + "Description": "Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "clientmrinit.exe", + "mgntsvc.exe", + "routernt.exe" ] }, "Artifacts": { @@ -12751,11 +12733,10 @@ { "Description": "Known remote domains", "Domains": [ - "mdmsupport.comodo.com", - "*.itsm-us1.comodo.com", - "*.cmdm.comodo.com", - "remoteaccess.itarian.com", - "servicedesk.itarian.com" + "*.sophos.com", + "*.sophosupd.com", + "*.sophosupd.net", + "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" ], "Ports": [] } @@ -12763,25 +12744,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml", - "Description": "Detects potential network activity of Itarian RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml", + "Description": "Detects potential network activity of Sophos-Remote Management System RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml", - "Description": "Detects potential processes activity of Itarian RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool" } ], "References": [ - "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" + "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" ], "Acknowledgement": [] }, { - "Name": "PSEXEC", - "Description": "PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level.io", + "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -12796,8 +12777,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "psexec.exe", - "psexecsvc.exe" + "level-windows-amd64.exe", + "level.exe", + "level-remote-control-ffmpeg.exe" ] }, "Artifacts": { @@ -12808,7 +12790,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "level.io", + "*.level.io" ], "Ports": [] } @@ -12816,25 +12799,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml", - "Description": "Detects potential network activity of PSEXEC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml", - "Description": "Detects potential processes activity of PSEXEC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" + "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" ], "Acknowledgement": [] }, { - "Name": "Level.io", - "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pcvisit", + "Description": "Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12849,9 +12832,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "level-windows-amd64.exe", - "level.exe", - "level-remote-control-ffmpeg.exe" + "pcvisit.exe", + "pcvisit_client.exe", + "pcvisit-easysupport.exe", + "pcvisit_service_client.exe" ] }, "Artifacts": { @@ -12862,8 +12846,8 @@ { "Description": "Known remote domains", "Domains": [ - "level.io", - "*.level.io" + "*.pcvisit.de", + "pcvisit.de" ], "Ports": [] } @@ -12871,22 +12855,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", - "Description": "Detects potential network activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml", + "Description": "Detects potential network activity of Pcvisit RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", - "Description": "Detects potential processes activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcvisit RMM tool" } ], "References": [ - "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" + "https://www.pcvisit.de/" ], "Acknowledgement": [] }, { - "Name": "ezHelp", - "Description": "ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Domotz", + "Description": "Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -12904,9 +12888,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ezhelpclientmanager.exe", - "ezHelpManager.exe", - "ezhelpclient.exe" + "domotz.exe", + "Domotz Pro Desktop App.exe", + "domotz_bash.exe", + "domotz*.exe", + "Domotz Pro Desktop App Setup*.exe", + "domotz-windows*.exe" ] }, "Artifacts": { @@ -12917,8 +12904,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.ezhelp.co.kr", - "ezhelp.co.kr" + "*.domotz.co", + "domotz.com", + "*cell-1.domotz.com" ], "Ports": [] } @@ -12926,22 +12914,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml", - "Description": "Detects potential network activity of ezHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml", + "Description": "Detects potential network activity of Domotz RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml", - "Description": "Detects potential processes activity of ezHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml", + "Description": "Detects potential processes activity of Domotz RMM tool" } ], "References": [ - "https://www.exhelp.co.kr" + "https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/" ], "Acknowledgement": [] }, { - "Name": "Kabuto", - "Description": "Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft TSC", + "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -12959,45 +12947,33 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Kabuto.App.Runner.exe" + "termsrv.exe", + "mstsc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.kabuto.io", - "repairtechsolutions.com/kabuto/" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml", - "Description": "Detects potential network activity of Kabuto RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml", - "Description": "Detects potential processes activity of Kabuto RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft TSC RMM tool" } ], "References": [ - "https://www.repairtechsolutions.com/documentation/kabuto/" + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" ], "Acknowledgement": [] }, { - "Name": "Synergy", - "Description": "Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemotePass", + "Description": "RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13011,7 +12987,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "remotepass-access.exe", + "rpaccess.exe", + "rpwhostscr.exe" + ] }, "Artifacts": { "Disk": [], @@ -13021,7 +13001,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "remotepass.com" ], "Ports": [] } @@ -13029,18 +13009,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml", - "Description": "Detects potential network activity of Synergy RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml", + "Description": "Detects potential network activity of RemotePass RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePass RMM tool" } ], "References": [ - "https://symless.com/synergy" + "https://www.remotepass.com/rpaccess.html - DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "ConnectWise", - "Description": "ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Devolutions Remote Desktop Manager", + "Description": "Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13057,10 +13041,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", - "*\\ScreenConnect*Client*\\*" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -13073,11 +13054,11 @@ "Acknowledgement": [] }, { - "Name": "TigerVNC", - "Description": "TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ZeroTier", + "Description": "ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -13092,11 +13073,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tigervnc*.exe", - "winvnc4.exe", - "C:\\Program Files\\TightVNC\\*", - "*\\TightVNC\\*", - "*\\tvnserver.exe" + "zerotier*.msi", + "zerotier*.exe", + "zero-powershell.exe" ] }, "Artifacts": { @@ -13107,7 +13086,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "zerotier.com", + "*.zerotier.com" ], "Ports": [] } @@ -13115,148 +13095,32 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml", - "Description": "Detects potential network activity of TigerVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml", + "Description": "Detects potential network activity of ZeroTier RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml", - "Description": "Detects potential processes activity of TigerVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml", + "Description": "Detects potential processes activity of ZeroTier RMM tool" } ], "References": [ - "https://github.com/TigerVNC/tigervnc/releases" + "https://my.zerotier.com/" ], "Acknowledgement": [] }, { - "Name": "GoToMyPC", - "Description": "GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "Zabbix Agent", + "Description": "Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/14/2024", "Details": { "Website": "", - "PEMetadata": [ - { - "Filename": "AppCore.exe" - }, - { - "Filename": "g2comm.exe" - }, - { - "Filename": "g2file*.exe" - }, - { - "Filename": "g2fileh.exe" - }, - { - "Filename": "g2host.exe" - }, - { - "Filename": "g2m_download.exe" - }, - { - "Filename": "g2mainh.exe" - }, - { - "Filename": "G2MChat.exe" - }, - { - "Filename": "G2MCodecInstExtractor.exe" - }, - { - "Filename": "G2MComm.exe" - }, - { - "Filename": "G2MCoreInstExtractor.exe" - }, - { - "Filename": "G2MFeedback.exe" - }, - { - "Filename": "G2MHost.exee" - }, - { - "Filename": "G2MInstaller.exe" - }, - { - "Filename": "G2MInstallerExtractor.exe" - }, - { - "Filename": "G2MInstHigh.exe" - }, - { - "Filename": "G2MLauncher.exe" - }, - { - "Filename": "G2MMatchMaking.exe" - }, - { - "Filename": "G2MMaterials.exe" - }, - { - "Filename": "G2MPolling.exe" - }, - { - "Filename": "G2MQandA.exe" - }, - { - "Filename": "G2MRecorder.exe" - }, - { - "Filename": "G2MScrUtil64.exe" - }, - { - "Filename": "G2MSessionControl.exe" - }, - { - "Filename": "G2MStart.exe" - }, - { - "Filename": "G2MTesting.exe" - }, - { - "Filename": "G2MTranscoder.exe" - }, - { - "Filename": "G2MUI.exe" - }, - { - "Filename": "G2MUninstall.exe" - }, - { - "Filename": "g2mupload.exe" - }, - { - "Filename": "g2mvideoconference.exe" - }, - { - "Filename": "G2MView.exe" - }, - { - "Filename": "g2printh.exe" - }, - { - "Filename": "g2quick.exe" - }, - { - "Filename": "g2svc.exe" - }, - { - "Filename": "g2tray.exe" - }, - { - "Filename": "gopcsrv.exe" - }, - { - "Filename": "GoToScrUtils.exe" - }, - { - "Filename": "GoTo.exe", - "OriginalFileName": "", - "Description": "" - } - ], + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", @@ -13264,77 +13128,96 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\GoToMyPC\\*" + "zabbix_agent*.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "%AppData%\\GoTo\\Logs\\goto.log", - "Description": "N/A", - "OS": "Windows" - } - ], + "Disk": [], "EventLog": [], - "Registry": [ - { - "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc", - "Description": "Configuration settings including registration email" - }, - { - "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite", - "Description": "Guest invites send to connect" - }, - { - "Path": "HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", - "Description": "hostname of the computer making connections and location of transferred files" - }, - { - "Path": "HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", - "Description": "hostname of the computer making connections and location of transferred files" - } - ], + "Registry": [], "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.GoToMyPC.com" + "user_managed", + "zabbix.com" ], - "Ports": [ - "N/A" - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml", - "Description": "Detects potential registry activity of GoToMyPC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml", - "Description": "Detects potential network activity of GoToMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml", + "Description": "Detects potential network activity of Zabbix Agent RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml", - "Description": "Detects potential files activity of GoToMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of Zabbix Agent RMM tool" } ], "References": [ - "https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#", - "https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls", - "https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/" + "https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent" ], - "Acknowledgement": [ + "Acknowledgement": [] + }, + { + "Name": "Sorillus", + "Description": "Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "Sorillus-Launcher*.exe", + "Sorillus Launcher.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.sorillus.com", + "sorillus.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ { - "Person": "Phill Moore", - "Handle": "@phillmoore" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml", + "Description": "Detects potential network activity of Sorillus RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml", + "Description": "Detects potential processes activity of Sorillus RMM tool" } - ] + ], + "References": [ + "https://sorillus.com/" + ], + "Acknowledgement": [] }, { - "Name": "Laplink Everywhere", - "Description": "Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "247ithelp.com (ConnectWise)", + "Description": "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -13352,12 +13235,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "laplink.exe", - "laplink-everywhere-setup*.exe", - "laplinkeverywhere.exe", - "llrcservice.exe", - "serverproxyservice.exe", - "OOSysAgent.exe" + "Remote Workforce Client.exe" ] }, "Artifacts": { @@ -13368,9 +13246,7 @@ { "Description": "Known remote domains", "Domains": [ - "everywhere.laplink.com", - "le.laplink.com", - "atled.syspectr.com" + "*.247ithelp.com" ], "Ports": [] } @@ -13378,25 +13254,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml", - "Description": "Detects potential network activity of Laplink Everywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of Laplink Everywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool" } ], "References": [ - "https://everywhere.laplink.com/docs" + "Similar / replaced by ScreenConnect" ], "Acknowledgement": [] }, { - "Name": "Syspectr", - "Description": "Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SmartCode Web VNC", + "Description": "SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13411,10 +13287,41 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "oo-syspectr*.exe", - "OOSysAgent.exe" + "C:\\Program Files\\TightVNC\\*", + "*\\TightVNC\\*" ] }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Visual Studio Dev Tunnel", + "Description": "Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, "Artifacts": { "Disk": [], "EventLog": [], @@ -13423,8 +13330,9 @@ { "Description": "Known remote domains", "Domains": [ - "atled.syspectr.com", - "app.syspectr.com" + "global.rel.tunnels.api.visualstudio.com", + "*.rel.tunnels.api.visualstudio.com", + "*.devtunnels.ms" ], "Ports": [] } @@ -13432,22 +13340,70 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml", - "Description": "Detects potential network activity of Syspectr RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml", - "Description": "Detects potential processes activity of Syspectr RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool" } ], "References": [ - "https://www.syspectr.com/en/installation-in-a-network" + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security" ], "Acknowledgement": [] }, { - "Name": "Remote Utilities", - "Description": "Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LabTech RMM (Now ConnectWise Automate)", + "Description": "LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "ltsvc.exe", + "ltsvcmon.exe", + "lttray.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "connectwise.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml", + "Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Remote.it", + "Description": "Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -13465,8 +13421,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rutview.exe", - "rutserv.exe" + "remote-it-installer.exe", + "remote.it.exe", + "remoteit.exe" ] }, "Artifacts": { @@ -13477,7 +13434,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.internetid.ru" + "auth.api.remote.it", + "api.remote.it", + "remote.it" ], "Ports": [] } @@ -13485,22 +13444,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml", - "Description": "Detects potential network activity of Remote Utilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml", + "Description": "Detects potential network activity of Remote.it RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Utilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote.it RMM tool" } ], "References": [ - "https://www.remoteutilities.com/download/" + "https://docs.remote.it/introduction/get-started" ], "Acknowledgement": [] }, { - "Name": "Remcos", - "Description": "Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ExtraPuTTY", + "Description": "ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13518,7 +13477,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remcos*.exe" + "C:\\Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", + "*Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", + "*\\ExtraPuTTY-0.30-2016-01-28-installer.exe" ] }, "Artifacts": { @@ -13529,19 +13490,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml", - "Description": "Detects potential processes activity of Remcos RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml", + "Description": "Detects potential processes activity of ExtraPuTTY RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "ISL Online", - "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-ABLE Remote Access Software", + "Description": "N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13555,15 +13516,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "islalwaysonmonitor.exe", - "isllight.exe", - "isllightservice.exe", - "ISLLightClient.exe", - "C:\\Program Files (x86)\\ISL Online\\ISL Light*", - "*\\ISL Online\\ISL Light*", - "*\\ISLLight.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -13573,8 +13526,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.islonline.com", - "*.islonline.net" + "n-able.com" ], "Ports": [] } @@ -13582,25 +13534,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", - "Description": "Detects potential network activity of ISL Online RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml", + "Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool" } ], - "References": [ - "https://help.islonline.com/19818/165940" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "DragonDisk", - "Description": "DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ivanti Remote Control", + "Description": "Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -13615,32 +13561,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Almageste\\DragonDisk\\*", - "*\\Almageste\\DragonDisk\\*", - "*\\DragonDisk.exe" + "IvantiRemoteControl.exe", + "ArcUI.exe", + "AgentlessRC.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ivanticloud.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml", - "Description": "Detects potential processes activity of DragonDisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of Ivanti Remote Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Ivanti Remote Control RMM tool" } ], - "References": [], + "References": [ + "https://rc1.ivanticloud.com/" + ], "Acknowledgement": [] }, { - "Name": "RealVNC", - "Description": "RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PDQ Connect", + "Description": "PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -13654,24 +13614,46 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "pdq-connect*.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "app.pdq.com", + "cfcdn.pdq.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml", + "Description": "Detects potential network activity of PDQ Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of PDQ Connect RMM tool" + } + ], + "References": [ + "https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements" + ], "Acknowledgement": [] }, { - "Name": "Supremo", - "Description": "Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "X2Go", + "Description": "X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13685,47 +13667,23 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "supremo.exe", - "supremoservice.exe", - "supremosystem.exe", - "supremohelper.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "supremocontrol.com", - "*.supremocontrol.com", - "* .nanosystems.it" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml", - "Description": "Detects potential network activity of Supremo RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml", - "Description": "Detects potential processes activity of Supremo RMM tool" - } - ], + "Detections": [], "References": [ - "https://www.supremocontrol.com/frequently-asked-questions/" + "https://wiki.x2go.org/doku.php" ], "Acknowledgement": [] }, { - "Name": "GoToAssist Agent Desktop Console", - "Description": "GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Desktop Manager (Devolutions)", + "Description": "Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13742,10 +13700,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\*\\G2RDesktopConsole-x64.msi", - "*\\G2RDesktopConsole-x64.msi" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -13758,11 +13713,11 @@ "Acknowledgement": [] }, { - "Name": "RemoteView", - "Description": "RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DW Service", + "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -13777,10 +13732,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remoteview.exe", - "rv.exe", - "rvagent.exe", - "rvagtray.exe" + "dwagsvc.exe", + "dwagent.exe", + "dwagsvc.exe" ] }, "Artifacts": { @@ -13791,9 +13745,7 @@ { "Description": "Known remote domains", "Domains": [ - "*content.rview.com", - "*.rview.com", - "content.rview.com" + "*.dwservice.net" ], "Ports": [] } @@ -13801,16 +13753,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml", - "Description": "Detects potential network activity of RemoteView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", + "Description": "Detects potential network activity of DW Service RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", + "Description": "Detects potential processes activity of DW Service RMM tool" } ], "References": [ - "https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall" + "https://news.dwservice.net/dwservice-security-infrastructure/" ], "Acknowledgement": [] }, @@ -13849,8 +13801,39 @@ "Acknowledgement": [] }, { - "Name": "Syncthing", - "Description": "Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Terminals", + "Description": "Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Duplicati", + "Description": "Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13868,9 +13851,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", - "*Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", - "*\\Syncthing.exe" + "c:\\Program Files\\*\\Duplicati.Server.exe", + "*\\*\\Duplicati.Server.exe" ] }, "Artifacts": { @@ -13881,45 +13863,80 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml", - "Description": "Detects potential processes activity of Syncthing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml", + "Description": "Detects potential processes activity of Duplicati RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "KHelpDesk", - "Description": "KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", + "Name": "MeshCentral", + "Description": "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", + "Author": "@kostastsale", + "Created": "2024-09-20", + "LastModified": "2024-09-20", "Details": { - "Website": "", + "Website": "https://meshcentral.com/", "PEMetadata": { - "Filename": "", + "Filename": "MeshAgent.exe", "OriginalFileName": "", - "Description": "" + "Description": "MeshCentral Background Service Agent" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], + "Privileges": "SYSTEM", + "Free": "Yes", + "Verification": "N/A", + "SupportedOS": [ + "Windows", + "Linux", + "MacOS", + "FreeBSD" + ], + "Capabilities": [ + "Remote Desktop & Terminal", + "Remote File Access", + "Text and Voice Chat", + "Server File Storage", + "Real-time User interface", + "Port Forwarding" + ], + "Vulnerabilities": [ + "CVE-2024-26135" + ], "InstallationPaths": [ - "KHelpDesk.exe" + "meshcentral*.exe", + "meshagent*.exe" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe", + "Description": "Local MeshAgent service binary after installation", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh", + "Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Mesh Agent background service", + "ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"", + "Description": "Service installation event as result of MeshAgent installation." + } + ], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.khelpdesk.com.br" + "user_managed", + "meshcentral.com" ], "Ports": [] } @@ -13927,25 +13944,35 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml", - "Description": "Detects potential network activity of KHelpDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml", + "Description": "Detects potential network activity of MeshCentral RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml", - "Description": "Detects potential processes activity of KHelpDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", + "Description": "Detects potential processes activity of MeshCentral RMM tool" + }, + { + "Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml", + "Description": "Detects MeshAgent Command Execution via MeshCentral" } ], "References": [ - "https://www.khelpdesk.com.br/en-us" + "https://ylianst.github.io/MeshCentral/meshcentral/", + "https://github.com/Ylianst/MeshAgent" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "Netop Remote Control (Impero Connect)", - "Description": "Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Instant Housecall", + "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -13960,15 +13987,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nhostsvc.exe", - "nhstw32.exe", - "ngstw32.exe", - "Netop Ondemand.exe", - "nldrw32.exe", - "rmserverconsolemediator.exe", - "ImperoInit.exe", - "Connect.Backdrop.cloud*.exe", - "ImperoClientSVC.exe" + "hsloader.exe", + "ihcserver.exe", + "instanthousecall.exe", + "instanthousecall.exe" ] }, "Artifacts": { @@ -13979,8 +14001,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.connect.backdrop.cloud", - "*.netop.com" + "*.instanthousecall.com", + "*.instanthousecall.net", + "instanthousecall.com", + "secure.instanthousecall.com" ], "Ports": [] } @@ -13988,25 +14012,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml", - "Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml", - "Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" } ], "References": [ - "https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html" + "https://instanthousecall.com/features/" ], "Acknowledgement": [] }, { - "Name": "Bitvise SSH Server", - "Description": "Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeamYourScreen", + "Description": "BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -14021,32 +14045,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Bitvise SSH Server\\*", - "*\\Bitvise SSH Server\\*", - "*\\BvSshServer-Inst.exe" + "beamyourscreen.exe", + "beamyourscreen-host.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "beamyourscreen.com", + "*.beamyourscreen.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml", - "Description": "Detects potential processes activity of Bitvise SSH Server RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml", + "Description": "Detects potential network activity of BeamYourScreen RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of BeamYourScreen RMM tool" } ], - "References": [], + "References": [ + "beamyourscreen redirects to https://www.mikogo.com/" + ], "Acknowledgement": [] }, { - "Name": "Apple Remote Desktop", - "Description": "Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WebRDP", + "Description": "WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/24/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -14061,7 +14099,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ARDAgent.app" + "webrdp.exe" ] }, "Artifacts": { @@ -14072,7 +14110,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "user_managed", + "github.com/Mikej81/WebRDP" ], "Ports": [] } @@ -14080,21 +14119,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Apple Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml", + "Description": "Detects potential network activity of WebRDP RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml", + "Description": "Detects potential processes activity of WebRDP RMM tool" } ], "References": [ - "https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac" + "github.com/Mikej81/WebRDP" ], "Acknowledgement": [] }, { - "Name": "Chrome SSH Extension", - "Description": "Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Online", + "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14109,23 +14152,49 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*", - "*Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*" + "*\\ISLLight.exe", + "isllight.exe", + "ISLLightClient.exe", + "C:\\Program Files (x86)\\ISL Online\\ISL Light*", + "*\\ISL Online\\ISL Light*", + "ISLLight.exe", + "isllightservice.exe", + "islalwaysonmonitor.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.islonline.com", + "*.islonline.net" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" + } + ], + "References": [ + "https://help.islonline.com/19818/165940" + ], "Acknowledgement": [] }, { - "Name": "NetSupport Manager", - "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "QQ IM-remote assistance", + "Description": "QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -14143,9 +14212,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcictlui.exe", - "client32.exe", - "pcicfgui.exe" + "qq.exe", + "QQProtect.exe", + "qqpcmgr.exe" ] }, "Artifacts": { @@ -14156,9 +14225,10 @@ { "Description": "Known remote domains", "Domains": [ - "geo.netsupportsoftware.com", - "netsupportmanager.com", - "*.netsupportmanager.com" + "*.mdt.qq.com", + "*.desktop.qq.com", + "upload_data.qq.com", + "qq-messenger.en.softonic.com" ], "Ports": [] } @@ -14166,25 +14236,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", - "Description": "Detects potential network activity of NetSupport Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml", + "Description": "Detects potential network activity of QQ IM-remote assistance RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of NetSupport Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml", + "Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool" } ], "References": [ - "https://www.netsupportmanager.com/resources/" + "https://en.wikipedia.org/wiki/Tencent_QQ" ], "Acknowledgement": [] }, { - "Name": "ESET Remote Administrator", - "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NinjaRMM", + "Description": "NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -14198,12 +14268,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "era.exe", - "einstaller.exe", - "ezhelp*.exe", - "eratool.exe", - "ERAAgent.exe" + "InstallationPaths": [ + "ninjarmmagent.exe", + "NinjaRMMAgent.exe", + "NinjaRMMAgenPatcher.exe", + "ninjarmm-cli.exe" ] }, "Artifacts": { @@ -14214,8 +14283,10 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "eset.com/me/business/remote-management/remote-administrator/" + "*.ninjarmm.com", + "*.ninjaone.com", + "resources.ninjarmm.com", + "ninjaone.com" ], "Ports": [] } @@ -14223,25 +14294,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", - "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml", + "Description": "Detects potential network activity of NinjaRMM RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", - "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml", + "Description": "Detects potential processes activity of NinjaRMM RMM tool" } ], "References": [ - "eset.com/me/business/remote-management/remote-administrator/" + "https://www.ninjaone.com/faq/" ], "Acknowledgement": [] }, { - "Name": "Yandex.Disk", - "Description": "Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Echoware", + "Description": "Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -14256,9 +14327,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Yandex\\*", - "*\\Yandex\\*", - "*\\YandexDisk2.exe" + "echoserver*.exe", + "echoware.dll" ] }, "Artifacts": { @@ -14269,19 +14339,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml", - "Description": "Detects potential processes activity of Yandex.Disk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml", + "Description": "Detects potential processes activity of Echoware RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "N-Able Advanced Monitoring Agent", - "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DeskDay", + "Description": "DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -14296,13 +14366,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "BASupSrvc.exe", - "winagent.exe", - "BASupApp.exe", - "BASupTSHelper.exe", - "Agent_*_RW.exe", - "BASEClient.exe", - "BASupSrvcCnfg.exe" + "ultimate_*.exe" ] }, "Artifacts": { @@ -14313,25 +14377,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.beanywhere.com ", - "systemmonitor.co.uk", - "*system-monitor.com", - "cloudbackup.management", - "*systemmonitor.co.uk", - "n-able.com", - "systemmonitor.us", - "*systemmonitor.eu.com", - "*.logicnow.com", - "*.swi-tc.com", - "*remote.management", - "systemmonitor.us.cdn.cloudflare.net", - "*cloudbackup.management", - "remote.management", - "logicnow.com", - "system-monitor.com", - "*systemmonitor.us", - "systemmonitor.eu.com", - "*.n-able.com" + "deskday.ai", + "app.deskday.ai" ], "Ports": [] } @@ -14339,25 +14386,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", - "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml", + "Description": "Detects potential network activity of DeskDay RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskDay RMM tool" } ], "References": [ - "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" + "https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate" ], "Acknowledgement": [] }, { - "Name": "MyIVO", - "Description": "MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xpra", + "Description": "Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14372,45 +14419,33 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "myivomgr.exe", - "myivomanager.exe" + "C:\\Program Files (x86)\\Xpra\\*", + "*\\Xpra\\*", + "*\\Xpra-Launcher.exe", + "*\\Xpra-x86_64_Setup.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "myivo-server.software.informer.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml", - "Description": "Detects potential network activity of MyIVO RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml", - "Description": "Detects potential processes activity of MyIVO RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml", + "Description": "Detects potential processes activity of Xpra RMM tool" } ], - "References": [ - "myivo.com - DOA as of 2024" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "ITSupport247 (ConnectWise)", - "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Fortra", + "Description": "Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -14424,9 +14459,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "saazapsc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -14436,7 +14469,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.itsupport247.net" + "fortra.com" ], "Ports": [] } @@ -14444,25 +14477,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml", + "Description": "Detects potential network activity of Fortra RMM tool" } ], "References": [ - "https://control.itsupport247.net/" + "https://www.fortra.com - No free/cloud RMM softwars listed" ], "Acknowledgement": [] }, { - "Name": "VNC", - "Description": "VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Controller (Soti Xsight)", + "Description": "Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -14477,13 +14506,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "winvnc*.exe", - "vncserver.exe", - "winwvc.exe", - "winvncsc.exe", - "vncserverui.exe", - "vncviewer.exe", - "winvnc.exe" + "pocketcontroller.exe", + "wysebrowser.exe", + "XSightService.exe" ] }, "Artifacts": { @@ -14494,8 +14519,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "realvnc.com/en/connect/download/vnc" + "*soti.net" ], "Ports": [] } @@ -14503,25 +14527,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml", - "Description": "Detects potential network activity of VNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml", - "Description": "Detects potential processes activity of VNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool" } ], "References": [ - "https://realvnc.com/en/connect/download/vnc" + "https://pulse.soti.net/support/soti-xsight/help/" ], "Acknowledgement": [] }, { - "Name": "ServerEye", - "Description": "ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LANDesk", + "Description": "LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14536,8 +14560,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "servereye*.exe", - "ServiceProxyLocalSys.exe" + "issuser.exe", + "landeskagentbootstrap.exe", + "LANDeskPortalManager.exe", + "ldinv32.exe", + "ldsensors.exe", + "C:\\Program Files (x86)\\LANDesk\\*", + "*\\LANDesk\\*", + "*\\issuser.exe", + "*\\softmon.exe", + "*\\tmcsvc.exe" ] }, "Artifacts": { @@ -14548,7 +14580,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.server-eye.de" + "*.ivanticloud.com", + "*.ivanti.com", + "ivanti.com" ], "Ports": [] } @@ -14556,25 +14590,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml", - "Description": "Detects potential network activity of ServerEye RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml", + "Description": "Detects potential network activity of LANDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml", - "Description": "Detects potential processes activity of ServerEye RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml", + "Description": "Detects potential processes activity of LANDesk RMM tool" } ], "References": [ - "https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf" + "https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US" ], "Acknowledgement": [] }, { - "Name": "Rapid7", - "Description": "Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netviewer", + "Description": "Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14589,9 +14623,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ir_agent.exe", - "rapid7_agent_core.exe", - "rapid7_endpoint_broker.exe" + "netviewer*.exe", + "netviewer.exe" ] }, "Artifacts": { @@ -14602,8 +14635,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.analytics.insight.rapid7.com", - "*.endpoint.ingress.rapid7.com" + "download.cnet.com/Net-Viewer/3000-2370_4-10034828.html" ], "Ports": [] } @@ -14611,22 +14643,20 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml", - "Description": "Detects potential network activity of Rapid7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml", + "Description": "Detects potential network activity of Netviewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml", - "Description": "Detects potential processes activity of Rapid7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer RMM tool" } ], - "References": [ - "https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "GoToAssist (GoTo Resolve)", - "Description": "GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Quick Assist", + "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14644,27 +14674,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\ProgramFiles*\\GoTo Machine Installer\\*", - "*\\GoTo Machine Installer\\*", - "*\\GoTo\\*" + "quickassist.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.support.services.microsoft.com" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Quick Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Quick Assist RMM tool" + } + ], "References": [], "Acknowledgement": [] }, - { - "Name": "GetScreen", - "Description": "GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + { + "Name": "Xeox", + "Description": "Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -14679,8 +14724,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "GetScreen.exe", - "getscreen.exe" + "xeox-agent_x64.exe", + "xeox_service_windows.exe", + "xeox-agent_*.exe", + "xeox-agent_x86.exe" ] }, "Artifacts": { @@ -14691,9 +14738,8 @@ { "Description": "Known remote domains", "Domains": [ - "getscreen.me", - "GetScreen.me", - "*.getscreen.me" + "*.xeox.com", + "xeox.com" ], "Ports": [] } @@ -14701,22 +14747,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml", - "Description": "Detects potential network activity of GetScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml", + "Description": "Detects potential network activity of Xeox RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml", - "Description": "Detects potential processes activity of GetScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml", + "Description": "Detects potential processes activity of Xeox RMM tool" } ], "References": [ - "https://docs.getscreen.me/self-hosted/system-requirements/" + "https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW" ], "Acknowledgement": [] }, { - "Name": "MobaXterm", - "Description": "MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SysAid", + "Description": "SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14734,9 +14780,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\MobaXterm_installer_12.1.msi", - "*\\MobaXterm_installer_*.msi", - "*\\Mobatek\\MobaXterm\\*" + "C:\\Program Files\\SysAidServer\\*", + "*\\SysAidServer\\*", + "*\\SysAid\\*", + "*\\IliAS.exe" ] }, "Artifacts": { @@ -14745,16 +14792,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml", + "Description": "Detects potential processes activity of SysAid RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "CrossTec Remote Control", - "Description": "CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Itarian", + "Description": "Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14769,8 +14821,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "PCIVIDEO.EXE", - "supporttool.exe" + "ITSMAgent.exe", + "RViewer.exe", + "ItsmRsp.exe", + "RAccess.exe", + "RmmService.exe", + "ITarianRemoteAccessSetup.exe", + "RDesktop.exe", + "ComodoRemoteControl.exe", + "ITSMService.exe", + "RHost.exe" ] }, "Artifacts": { @@ -14781,8 +14841,11 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "crosstecsoftware.com/remotecontrol" + "mdmsupport.comodo.com", + "*.itsm-us1.comodo.com", + "*.cmdm.comodo.com", + "remoteaccess.itarian.com", + "servicedesk.itarian.com" ], "Ports": [] } @@ -14790,25 +14853,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of CrossTec Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml", + "Description": "Detects potential network activity of Itarian RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of CrossTec Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml", + "Description": "Detects potential processes activity of Itarian RMM tool" } ], "References": [ - "www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024" + "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" ], "Acknowledgement": [] }, { - "Name": "Absolute (Computrace)", - "Description": "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Kabuto", + "Description": "Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "6/18/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14823,11 +14886,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rpcnet.exe", - "ctes.exe", - "ctespersitence.exe", - "cteshostsvc.exe", - "rpcld.exe" + "Kabuto.App.Runner.exe" ] }, "Artifacts": { @@ -14838,8 +14897,8 @@ { "Description": "Known remote domains", "Domains": [ - "*search.namequery.com", - "*server.absolute.com" + "*.kabuto.io", + "repairtechsolutions.com/kabuto/" ], "Ports": [] } @@ -14847,65 +14906,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml", - "Description": "Detects potential network activity of Absolute (Computrace) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml", + "Description": "Detects potential network activity of Kabuto RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml", - "Description": "Detects potential processes activity of Absolute (Computrace) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml", + "Description": "Detects potential processes activity of Kabuto RMM tool" } ], "References": [ - "https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com" - ], - "Acknowledgement": [] - }, - { - "Name": "Xshell", - "Description": "Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\NetSarang\\xShell\\*", - "*\\NetSarang\\xShell\\*", - "*\\xShell.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml", - "Description": "Detects potential processes activity of Xshell RMM tool" - } + "https://www.repairtechsolutions.com/documentation/kabuto/" ], - "References": [], "Acknowledgement": [] }, { - "Name": "MyGreenPC", - "Description": "MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Manipulator System", + "Description": "Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -14920,7 +14939,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mygreenpc.exe" + "rfusclient.exe", + "rutserv.exe" ] }, "Artifacts": { @@ -14931,7 +14951,8 @@ { "Description": "Known remote domains", "Domains": [ - "*mygreenpc.com" + "*.internetid.ru", + "rmansys.ru" ], "Ports": [] } @@ -14939,25 +14960,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml", - "Description": "Detects potential network activity of MyGreenPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml", + "Description": "Detects potential network activity of Remote Manipulator System RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml", - "Description": "Detects potential processes activity of MyGreenPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Manipulator System RMM tool" } ], "References": [ - "http://www.mygreenpc.com/" + "https://rmansys.ru/files/" ], "Acknowledgement": [] }, { - "Name": "Level.io", - "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NateOn-desktop sharing", + "Description": "NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -14972,9 +14993,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "level-windows-amd64.exe", - "level.exe", - "level-remote-control-ffmpeg.exe" + "nateon*.exe", + "nateon.exe", + "nateonmain.exe" ] }, "Artifacts": { @@ -14985,8 +15006,7 @@ { "Description": "Known remote domains", "Domains": [ - "level.io", - "*.level.io" + "*.nate.com" ], "Ports": [] } @@ -14994,22 +15014,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", - "Description": "Detects potential network activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of NateOn-desktop sharing RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", - "Description": "Detects potential processes activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NateOn-desktop sharing RMM tool" } ], "References": [ - "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" + "http://rsupport.nate.com/rview/r8/main/index.aspx" ], "Acknowledgement": [] }, { - "Name": "Microsoft Quick Assist", - "Description": "Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Lite Manager", + "Description": "Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -15027,45 +15047,27 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "quickassist.exe" + "C:\\Program Files\\LiteManager Pro – Viewer\\*", + "*\\LiteManager Pro – Viewer\\*", + "*\\LMNoIpServer.exe." ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "*.support.services.microsoft.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml", - "Description": "Detects potential network activity of Microsoft Quick Assist RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool" - } - ], - "References": [ - "https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Manage Engine (Desktop Central)", - "Description": "Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syspectr", + "Description": "Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -15080,8 +15082,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dcagentservice.exe", - "dcagentregister.exe" + "oo-syspectr*.exe", + "OOSysAgent.exe" ] }, "Artifacts": { @@ -15092,12 +15094,8 @@ { "Description": "Known remote domains", "Domains": [ - "desktopcentral.manageengine.com", - "desktopcentral.manageengine.com.eu", - "desktopcentral.manageengine.cn", - "*.dms.zoho.com", - "*.dms.zoho.com.eu", - "*.-dms.zoho.com.cn" + "atled.syspectr.com", + "app.syspectr.com" ], "Ports": [] } @@ -15105,15 +15103,17 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml", - "Description": "Detects potential network activity of Desktop Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml", + "Description": "Detects potential network activity of Syspectr RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml", - "Description": "Detects potential processes activity of Desktop Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml", + "Description": "Detects potential processes activity of Syspectr RMM tool" } ], - "References": [], + "References": [ + "https://www.syspectr.com/en/installation-in-a-network" + ], "Acknowledgement": [] } ] \ No newline at end of file diff --git a/website/public/rmm_tools_table.csv b/website/public/rmm_tools_table.csv index d107196c..1b72656f 100644 --- a/website/public/rmm_tools_table.csv +++ b/website/public/rmm_tools_table.csv @@ -1,272 +1,272 @@ Name,Category,Description,Author -[LabTeach (Connectwise Automate)](/rmm_tools/labteach__connectwise_automate_),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information w..., -[Zabbix Agent](/rmm_tools/zabbix_agent),,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Senso.cloud](/rmm_tools/senso.cloud),,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[I'm InTouch](/rmm_tools/i'm_intouch),,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[RustDesk](/rmm_tools/rustdesk),,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Electric AI (Kaseya)](/rmm_tools/electric_ai__kaseya_),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be adde..., -[ZOC](/rmm_tools/zoc),,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., -[Any Support](/rmm_tools/any_support),,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[PDQ Connect](/rmm_tools/pdq_connect),,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Pcnow](/rmm_tools/pcnow),,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Seetrol](/rmm_tools/seetrol),,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[CarotDAV](/rmm_tools/carotdav),,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Goverlan](/rmm_tools/goverlan),,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[OptiTune](/rmm_tools/optitune),,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[EMCO Remote Console](/rmm_tools/emco_remote_console),,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added..., -[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., -[Tailscale](/rmm_tools/tailscale),,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Pilixo](/rmm_tools/pilixo),,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Remote Desktop Manager (Devolutions)](/rmm_tools/remote_desktop_manager__devolutions_),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More informat..., -[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., -[Alpemix](/rmm_tools/alpemix),,Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali -[Auvik](/rmm_tools/auvik),,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Tactical RMM](/rmm_tools/tactical_rmm),,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[MioNet (WD Anywhere Access)](/rmm_tools/mionet__wd_anywhere_access_),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will ..., -[Comodo RMM](/rmm_tools/comodo_rmm),,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Pocket Controller](/rmm_tools/pocket_controller),,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added a..., -[NordLocker](/rmm_tools/nordlocker),,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[OCS inventory](/rmm_tools/ocs_inventory),,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it..., -[GotoHTTP](/rmm_tools/gotohttp),,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Terminals](/rmm_tools/terminals),,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[RPort](/rmm_tools/rport),,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[DeskNets](/rmm_tools/desknets),,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [CentraStage (Now Datto)](/rmm_tools/centrastage__now_datto_),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be a..., -[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., -[CruzControl](/rmm_tools/cruzcontrol),,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Mikogo](/rmm_tools/mikogo),,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[mRemoteNG](/rmm_tools/mremoteng),,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[LabTech RMM (Now ConnectWise Automate)](/rmm_tools/labtech_rmm__now_connectwise_automate_),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More inform..., -[ScreenMeet](/rmm_tools/screenmeet),,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[RES Automation Manager](/rmm_tools/res_automation_manager),,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be ad..., -[Anyplace Control](/rmm_tools/anyplace_control),,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as..., -[TightVNC](/rmm_tools/tightvnc),,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[LiteManager](/rmm_tools/litemanager),,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Sophos-Remote Management System](/rmm_tools/sophos-remote_management_system),,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information w..., -[ManageEngine](/rmm_tools/manageengine),,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Splashtop Remote](/rmm_tools/splashtop_remote),,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as..., -[rdp2tcp](/rmm_tools/rdp2tcp),,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Jump Cloud](/rmm_tools/jump_cloud),,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[RemoteView](/rmm_tools/remoteview),,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Quest KACE Agent (formerly Dell KACE)](/rmm_tools/quest_kace_agent__formerly_dell_kace_),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More informa..., +[FleetDeck.io](/rmm_tools/fleetdeck.io),,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it ..., [RuDesktop](/rmm_tools/rudesktop),,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[LogMeIn](/rmm_tools/logmein),,LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali -[SmartFTP](/rmm_tools/smartftp),,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., +[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Supremo](/rmm_tools/supremo),,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Alpemix](/rmm_tools/alpemix),,Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali +[Bitvise SSH Server](/rmm_tools/bitvise_ssh_server),,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added ..., +[SmarTTY](/rmm_tools/smartty),,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[KHelpDesk](/rmm_tools/khelpdesk),,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [Pocket Cloud (Wyse)](/rmm_tools/pocket_cloud__wyse_),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added..., -[Guacamole](/rmm_tools/guacamole),,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[LANDesk](/rmm_tools/landesk),,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[pcAnywhere](/rmm_tools/pcanywhere),,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[mstsc](/rmm_tools/mstsc),,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[FreeNX](/rmm_tools/freenx),,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[PSEXEC (Clone)](/rmm_tools/psexec__clone_),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as i..., -[SpyAnywhere](/rmm_tools/spyanywhere),,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[MultCloud](/rmm_tools/multcloud),,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Visual Studio Dev Tunnel](/rmm_tools/visual_studio_dev_tunnel),,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be ..., -[Xpra](/rmm_tools/xpra),,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[Royal Apps](/rmm_tools/royal_apps),,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[eHorus](/rmm_tools/ehorus),,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[SuperPuTTY](/rmm_tools/superputty),,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[ZeroTier](/rmm_tools/zerotier),,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Devolutions Remote Desktop Manager](/rmm_tools/devolutions_remote_desktop_manager),,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More informatio..., -[BeAnyWhere](/rmm_tools/beanywhere),,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[WebEx (Remote Access)](/rmm_tools/webex__remote_access_),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be add..., -[AnyDesk](/rmm_tools/anydesk),RMM,AnyDesk is a popular remote desktop software that enables users to access and control a computer or ...,"Ali Alwashali, Nasreddine Bencherchali" -[Free Ping Tool](/rmm_tools/free_ping_tool),,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as i..., -[S3 Browser](/rmm_tools/s3_browser),,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[NinjaOne (formerly NinjaRMM)](/rmm_tools/ninjaone__formerly_ninjarmm_),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will..., -[Adobe Connect](/rmm_tools/adobe_connect),,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it..., -[RemotePC](/rmm_tools/remotepc),,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[AliWangWang-remote-control](/rmm_tools/aliwangwang-remote-control),,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will b..., +[TurboMeeting](/rmm_tools/turbomeeting),,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., +[Absolute (Computrace)](/rmm_tools/absolute__computrace_),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be add..., +[Impero Connect](/rmm_tools/impero_connect),,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Netviewer (GoToMeet)](/rmm_tools/netviewer__gotomeet_),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be adde..., +[Goverlan](/rmm_tools/goverlan),,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[RAdmin](/rmm_tools/radmin),,RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it become...,Nasreddine Bencherchali +[Bitvise SSH Client](/rmm_tools/bitvise_ssh_client),,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added ..., +[GoToAssist (GoTo Resolve)](/rmm_tools/gotoassist__goto_resolve_),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be..., [LogMeIn rescue](/rmm_tools/logmein_rescue),,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as i..., -[UltraViewer](/rmm_tools/ultraviewer),,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Pandora RC (eHorus)](/rmm_tools/pandora_rc__ehorus_),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added..., -[IntelliAdmin Remote Control](/rmm_tools/intelliadmin_remote_control),,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will ..., -[MEGAsync](/rmm_tools/megasync),,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Encapto](/rmm_tools/encapto),,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[ShowMyPC](/rmm_tools/showmypc),,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Lite Manager](/rmm_tools/lite_manager),,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Splashtop (Beta)](/rmm_tools/splashtop__beta_),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as..., +[GoToAssist Agent Desktop Console](/rmm_tools/gotoassist_agent_desktop_console),,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information ..., +[ConnectWise](/rmm_tools/connectwise),,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it b..., [Netop Remote Control (aka Impero Connect)](/rmm_tools/netop_remote_control__aka_impero_connect_),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More inf..., -[GoToAssist](/rmm_tools/gotoassist),,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Ericom Connect](/rmm_tools/ericom_connect),,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., -[TeamViewer](/rmm_tools/teamviewer),,"TeamViewer is a remote monitoring and management (RMM) tool. -...","Nasreddine Bencherchali, Michael Haag" +[Splashtop Remote](/rmm_tools/splashtop_remote),,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as..., +[Chrome SSH Extension](/rmm_tools/chrome_ssh_extension),,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be adde..., [Access Remote PC](/rmm_tools/access_remote_pc),,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as..., -[SecureCRT](/rmm_tools/securecrt),,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Acronic Cyber Protect (Remotix)](/rmm_tools/acronic_cyber_protect__remotix_),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information w..., -[Sorillus](/rmm_tools/sorillus),,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Barracuda](/rmm_tools/barracuda),,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[DeskDay](/rmm_tools/deskday),,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[RemoteCall](/rmm_tools/remotecall),,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Splashtop](/rmm_tools/splashtop),,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it bec...,Nasreddine Bencherchali -[ManageEngine RMM Central](/rmm_tools/manageengine_rmm_central),,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be ..., -[AeroAdmin](/rmm_tools/aeroadmin),,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[NoMachine](/rmm_tools/nomachine),,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., +[Netop Remote Control (Impero Connect)](/rmm_tools/netop_remote_control__impero_connect_),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More informa..., +[Pocket Controller](/rmm_tools/pocket_controller),,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added a..., +[Pilixo](/rmm_tools/pilixo),,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Iperius Remote](/rmm_tools/iperius_remote),,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Total Software Deployment](/rmm_tools/total_software_deployment),,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be..., +[Apple Remote Desktop](/rmm_tools/apple_remote_desktop),,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be adde..., +[Free Ping Tool](/rmm_tools/free_ping_tool),,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as i..., +[LiteManager](/rmm_tools/litemanager),,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., +[Weezo](/rmm_tools/weezo),,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Centurion](/rmm_tools/centurion),,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [UltraVNC](/rmm_tools/ultravnc),,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., -[NinjaRMM](/rmm_tools/ninjarmm),,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ngrok](/rmm_tools/ngrok),,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Bitvise SSH Client](/rmm_tools/bitvise_ssh_client),,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added ..., +[TightVNC](/rmm_tools/tightvnc),,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[ToDesk](/rmm_tools/todesk),,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[GoToMyPC](/rmm_tools/gotomypc),,GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco...,Nasreddine Bencherchali +[Neturo](/rmm_tools/neturo),,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[GoToAssist](/rmm_tools/gotoassist),,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[DameWare](/rmm_tools/dameware),,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[OptiTune](/rmm_tools/optitune),,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [Chicken (of the VNC)](/rmm_tools/chicken__of_the_vnc_),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be adde..., -[SkyFex](/rmm_tools/skyfex),,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Ericom AccessNow](/rmm_tools/ericom_accessnow),,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as..., -[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., -[Royal Server](/rmm_tools/royal_server),,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Solar-PuTTY](/rmm_tools/solar-putty),,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Duplicati](/rmm_tools/duplicati),,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[UltraViewer](/rmm_tools/ultraviewer),,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Barracuda](/rmm_tools/barracuda),,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Senso.cloud](/rmm_tools/senso.cloud),,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Any Support](/rmm_tools/any_support),,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it b..., [Remote Desktop Plus](/rmm_tools/remote_desktop_plus),,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added..., -[ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., -[DesktopNow](/rmm_tools/desktopnow),,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Remmina](/rmm_tools/remmina),,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Splashtop](/rmm_tools/splashtop),,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it bec...,Nasreddine Bencherchali +[Remcos](/rmm_tools/remcos),,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[SpyAnywhere](/rmm_tools/spyanywhere),,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it b..., [Distant Desktop](/rmm_tools/distant_desktop),,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as ..., -[DameWare](/rmm_tools/dameware),,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Level](/rmm_tools/level),,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Insync](/rmm_tools/insync),,Insync is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Remote.it](/rmm_tools/remote.it),,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Netreo](/rmm_tools/netreo),,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[NoteOn-desktop sharing](/rmm_tools/noteon-desktop_sharing),,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., -[Royal TS](/rmm_tools/royal_ts),,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[DeskNets](/rmm_tools/desknets),,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[QQ IM-remote assistance](/rmm_tools/qq_im-remote_assistance),,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be a..., -[PuTTY Tray](/rmm_tools/putty_tray),,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[XRDP](/rmm_tools/xrdp),,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[FastViewer](/rmm_tools/fastviewer),,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Jump Desktop](/rmm_tools/jump_desktop),,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Ivanti Remote Control](/rmm_tools/ivanti_remote_control),,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be add..., -[BeInSync](/rmm_tools/beinsync),,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[NateOn-desktop sharing](/rmm_tools/nateon-desktop_sharing),,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., -[Xeox](/rmm_tools/xeox),,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[WinSCP](/rmm_tools/winscp),,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[NTR Remote](/rmm_tools/ntr_remote),,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[TurboMeeting](/rmm_tools/turbomeeting),,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[RemoteUtilities](/rmm_tools/remoteutilities),,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as ..., +[Acronis Cyber Protect (Remotix)](/rmm_tools/acronis_cyber_protect__remotix_),,Acronis Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information w..., [Pulseway](/rmm_tools/pulseway),,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Panorama9](/rmm_tools/panorama9),,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Atera](/rmm_tools/atera),,Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransom..., -[JollysFastVNC](/rmm_tools/jollysfastvnc),,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it..., -[RunSmart](/rmm_tools/runsmart),,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Chrome Remote Desktop](/rmm_tools/chrome_remote_desktop),,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., -[Netviewer (GoToMeet)](/rmm_tools/netviewer__gotomeet_),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be adde..., -[Netviewer](/rmm_tools/netviewer),,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., -[ExtraPuTTY](/rmm_tools/extraputty),,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[FleetDeck.io](/rmm_tools/fleetdeck.io),,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[HelpU](/rmm_tools/helpu),,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[ToDesk](/rmm_tools/todesk),,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[RAdmin](/rmm_tools/radmin),,RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it become...,Nasreddine Bencherchali -[CrossLoop](/rmm_tools/crossloop),,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Centurion](/rmm_tools/centurion),,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[KickIdler](/rmm_tools/kickidler),,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Syncro](/rmm_tools/syncro),,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[AweRay](/rmm_tools/aweray),,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[SunLogin](/rmm_tools/sunlogin),,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Koofr](/rmm_tools/koofr),,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[SysAid](/rmm_tools/sysaid),,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Neturo](/rmm_tools/neturo),,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[SmarTTY](/rmm_tools/smartty),,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Impero Connect](/rmm_tools/impero_connect),,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., -[247ithelp.com (ConnectWise)](/rmm_tools/247ithelp.com__connectwise_),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will ..., -[Remobo](/rmm_tools/remobo),,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Free Tools Launcher](/rmm_tools/free_tools_launcher),,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added..., -[Echoware](/rmm_tools/echoware),,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[TeamViewer](/rmm_tools/teamviewer),,"TeamViewer is a remote monitoring and management (RMM) tool. +...","Nasreddine Bencherchali, Michael Haag" [Zoho Assist](/rmm_tools/zoho_assist),,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[KiTTY](/rmm_tools/kitty),,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[SimpleHelp](/rmm_tools/simplehelp),,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[CloudFlare Tunnel](/rmm_tools/cloudflare_tunnel),,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added a..., -[GoTo Opener](/rmm_tools/goto_opener),,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Pcvisit](/rmm_tools/pcvisit),,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Mocha VNC Lite](/rmm_tools/mocha_vnc_lite),,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Laplink Gold](/rmm_tools/laplink_gold),,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Iperius Remote](/rmm_tools/iperius_remote),,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as i..., -[BeamYourScreen](/rmm_tools/beamyourscreen),,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as i..., -[TeleDesktop](/rmm_tools/teledesktop),,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Parallels Access](/rmm_tools/parallels_access),,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as..., -[Basecamp](/rmm_tools/basecamp),,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Weezo](/rmm_tools/weezo),,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[X2Go](/rmm_tools/x2go),,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[Dev Tunnels (aka Visual Studio Dev Tunnel)](/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More in..., +[HelpU](/rmm_tools/helpu),,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[NinjaOne (formerly NinjaRMM)](/rmm_tools/ninjaone__formerly_ninjarmm_),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will..., +[ezHelp](/rmm_tools/ezhelp),,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[LabTeach (Connectwise Automate)](/rmm_tools/labteach__connectwise_automate_),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information w..., +[FreeNX](/rmm_tools/freenx),,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[DragonDisk](/rmm_tools/dragondisk),,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Manage Engine (Desktop Central)](/rmm_tools/manage_engine__desktop_central_),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information w..., +[Encapto](/rmm_tools/encapto),,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., +[Jump Desktop](/rmm_tools/jump_desktop),,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[MyGreenPC](/rmm_tools/mygreenpc),,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[CruzControl](/rmm_tools/cruzcontrol),,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it b..., [Connectwise Automate (LabTech)](/rmm_tools/connectwise_automate__labtech_),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information wi..., -[Splashtop (Beta)](/rmm_tools/splashtop__beta_),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as..., -[Netop](/rmm_tools/netop),,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Kaseya (VSA)](/rmm_tools/kaseya__vsa_),,Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be a...,Nasreddine Bencherchali -[HelpBeam](/rmm_tools/helpbeam),,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Quest KACE Agent (formerly Dell KACE)](/rmm_tools/quest_kace_agent__formerly_dell_kace_),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More informa..., +[NoteOn-desktop sharing](/rmm_tools/noteon-desktop_sharing),,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., +[Basecamp](/rmm_tools/basecamp),,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[DesktopNow](/rmm_tools/desktopnow),,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it be..., [DeskShare](/rmm_tools/deskshare),,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[rdpwrap](/rmm_tools/rdpwrap),,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Total Software Deployment](/rmm_tools/total_software_deployment),,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be..., -[PuTTY](/rmm_tools/putty),,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[RDPView](/rmm_tools/rdpview),,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Fortra](/rmm_tools/fortra),,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[ISL Light](/rmm_tools/isl_light),,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Pocket Controller (Soti Xsight)](/rmm_tools/pocket_controller__soti_xsight_),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information w..., +[RPort](/rmm_tools/rport),,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[SuperPuTTY](/rmm_tools/superputty),,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., [GatherPlace-desktop sharing](/rmm_tools/gatherplace-desktop_sharing),,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will ..., -[Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral ...,@kostastsale -[MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[S3 Browser](/rmm_tools/s3_browser),,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[NTR Remote](/rmm_tools/ntr_remote),,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[PSEXEC (Clone)](/rmm_tools/psexec__clone_),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as i..., +[IntelliAdmin Remote Control](/rmm_tools/intelliadmin_remote_control),,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will ..., +[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., +[ngrok](/rmm_tools/ngrok),,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Mocha VNC Lite](/rmm_tools/mocha_vnc_lite),,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as i..., +[SkyFex](/rmm_tools/skyfex),,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Laplink Gold](/rmm_tools/laplink_gold),,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Pandora RC (eHorus)](/rmm_tools/pandora_rc__ehorus_),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added..., +[FastViewer](/rmm_tools/fastviewer),,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[XRDP](/rmm_tools/xrdp),,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[PuTTY](/rmm_tools/putty),,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[KickIdler](/rmm_tools/kickidler),,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Tactical RMM](/rmm_tools/tactical_rmm),,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[FreeRDP](/rmm_tools/freerdp),,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[RemoteCall](/rmm_tools/remotecall),,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[ZOC](/rmm_tools/zoc),,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., [ScreenConnect](/rmm_tools/screenconnect),,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it...,"Ali Alwashali, Nasreddine Bencherchali" -[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., -[Tanium](/rmm_tools/tanium),,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Ultra VNC](/rmm_tools/ultra_vnc),,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Remote Manipulator System](/rmm_tools/remote_manipulator_system),,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be..., -[Domotz](/rmm_tools/domotz),,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[FixMe.it](/rmm_tools/fixme.it),,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Insync](/rmm_tools/insync),,Insync is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., +[BeyondTrust](/rmm_tools/beyondtrust),,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Guacamole](/rmm_tools/guacamole),,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [Tanium Deploy](/rmm_tools/tanium_deploy),,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it..., -[N-ABLE Remote Access Software](/rmm_tools/n-able_remote_access_software),,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information wil..., -[Quick Assist](/rmm_tools/quick_assist),,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[AnyViewer](/rmm_tools/anyviewer),,AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it bec...,@kostastsale -[Naverisk](/rmm_tools/naverisk),,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Addigy](/rmm_tools/addigy),,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Action1](/rmm_tools/action1),,Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute comma...,@kostastsale -[AliWangWang-remote-control](/rmm_tools/aliwangwang-remote-control),,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will b..., -[FreeRDP](/rmm_tools/freerdp),,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[MioNet (Also known as WD Anywhere Access)](/rmm_tools/mionet__also_known_as_wd_anywhere_access_),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More inf..., -[SmartCode Web VNC](/rmm_tools/smartcode_web_vnc),,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added a..., +[HelpBeam](/rmm_tools/helpbeam),,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[CarotDAV](/rmm_tools/carotdav),,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Royal TS](/rmm_tools/royal_ts),,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [Onionshare](/rmm_tools/onionshare),,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Rocket Remote Desktop](/rmm_tools/rocket_remote_desktop),,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., -[WebRDP](/rmm_tools/webrdp),,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[BeyondTrust](/rmm_tools/beyondtrust),,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[SuperOps](/rmm_tools/superops),,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[RemotePass](/rmm_tools/remotepass),,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Itarian](/rmm_tools/itarian),,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[PSEXEC](/rmm_tools/psexec),,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[PuTTY Tray](/rmm_tools/putty_tray),,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[SmartFTP](/rmm_tools/smartftp),,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Kaseya (VSA)](/rmm_tools/kaseya__vsa_),,Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be a...,Nasreddine Bencherchali +[Free Tools Launcher](/rmm_tools/free_tools_launcher),,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added..., +[SecureCRT](/rmm_tools/securecrt),,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Chrome Remote Desktop](/rmm_tools/chrome_remote_desktop),,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., +[GetScreen](/rmm_tools/getscreen),,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[mstsc](/rmm_tools/mstsc),,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., [Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ezHelp](/rmm_tools/ezhelp),,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Kabuto](/rmm_tools/kabuto),,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Synergy](/rmm_tools/synergy),,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[ConnectWise](/rmm_tools/connectwise),,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it b..., [TigerVNC](/rmm_tools/tigervnc),,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[GoToMyPC](/rmm_tools/gotomypc),,GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco...,Nasreddine Bencherchali -[Laplink Everywhere](/rmm_tools/laplink_everywhere),,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added ..., -[Syspectr](/rmm_tools/syspectr),,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Dev Tunnels (aka Visual Studio Dev Tunnel)](/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More in..., +[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., +[ScreenMeet](/rmm_tools/screenmeet),,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[BeAnyWhere](/rmm_tools/beanywhere),,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Ultra VNC](/rmm_tools/ultra_vnc),,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[JollysFastVNC](/rmm_tools/jollysfastvnc),,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[ManageEngine](/rmm_tools/manageengine),,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Syncro](/rmm_tools/syncro),,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it become..., [Remote Utilities](/rmm_tools/remote_utilities),,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as..., -[Remcos](/rmm_tools/remcos),,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[DragonDisk](/rmm_tools/dragondisk),,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[RealVNC](/rmm_tools/realvnc),,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Supremo](/rmm_tools/supremo),,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[GoToAssist Agent Desktop Console](/rmm_tools/gotoassist_agent_desktop_console),,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information ..., -[RemoteView](/rmm_tools/remoteview),,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[VNC Connect](/rmm_tools/vnc_connect),,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Syncthing](/rmm_tools/syncthing),,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[KHelpDesk](/rmm_tools/khelpdesk),,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Netop Remote Control (Impero Connect)](/rmm_tools/netop_remote_control__impero_connect_),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More informa..., -[Bitvise SSH Server](/rmm_tools/bitvise_ssh_server),,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added ..., -[Apple Remote Desktop](/rmm_tools/apple_remote_desktop),,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be adde..., -[Chrome SSH Extension](/rmm_tools/chrome_ssh_extension),,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be adde..., -[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., +[Microsoft Quick Assist](/rmm_tools/microsoft_quick_assist),,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be ad..., +[Remmina](/rmm_tools/remmina),,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[CrossLoop](/rmm_tools/crossloop),,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [ESET Remote Administrator](/rmm_tools/eset_remote_administrator),,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be..., +[Atera](/rmm_tools/atera),,Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransom..., +[NoMachine](/rmm_tools/nomachine),,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[ISL Light](/rmm_tools/isl_light),,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [Yandex.Disk](/rmm_tools/yandex.disk),,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., +[ManageEngine RMM Central](/rmm_tools/manageengine_rmm_central),,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be ..., +[Seetrol](/rmm_tools/seetrol),,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[AweRay](/rmm_tools/aweray),,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[OCS inventory](/rmm_tools/ocs_inventory),,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it..., +[GoTo Opener](/rmm_tools/goto_opener),,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[AnyViewer](/rmm_tools/anyviewer),,AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it bec...,@kostastsale +[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., +[pcAnywhere](/rmm_tools/pcanywhere),,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[RES Automation Manager](/rmm_tools/res_automation_manager),,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be ad..., +[Rocket Remote Desktop](/rmm_tools/rocket_remote_desktop),,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., +[LogMeIn](/rmm_tools/logmein),,LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali +[Solar-PuTTY](/rmm_tools/solar-putty),,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[SuperOps](/rmm_tools/superops),,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[RealVNC](/rmm_tools/realvnc),,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[NordLocker](/rmm_tools/nordlocker),,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Auvik](/rmm_tools/auvik),,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[AeroAdmin](/rmm_tools/aeroadmin),,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Netop](/rmm_tools/netop),,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[KiTTY](/rmm_tools/kitty),,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Level](/rmm_tools/level),,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[CloudFlare Tunnel](/rmm_tools/cloudflare_tunnel),,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added a..., +[MEGAsync](/rmm_tools/megasync),,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Xshell](/rmm_tools/xshell),,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Naverisk](/rmm_tools/naverisk),,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Mikogo](/rmm_tools/mikogo),,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[PSEXEC](/rmm_tools/psexec),,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[RemoteUtilities](/rmm_tools/remoteutilities),,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as ..., +[Panorama9](/rmm_tools/panorama9),,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[WebEx (Remote Access)](/rmm_tools/webex__remote_access_),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be add..., +[Pcnow](/rmm_tools/pcnow),,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., [MyIVO](/rmm_tools/myivo),,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., +[Addigy](/rmm_tools/addigy),,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[WinSCP](/rmm_tools/winscp),,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Netreo](/rmm_tools/netreo),,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[rdp2tcp](/rmm_tools/rdp2tcp),,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[BeInSync](/rmm_tools/beinsync),,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[FixMe.it](/rmm_tools/fixme.it),,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[SunLogin](/rmm_tools/sunlogin),,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [VNC](/rmm_tools/vnc),,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., +[MioNet (Also known as WD Anywhere Access)](/rmm_tools/mionet__also_known_as_wd_anywhere_access_),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More inf..., +[Ericom Connect](/rmm_tools/ericom_connect),,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Synergy](/rmm_tools/synergy),,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[CrossTec Remote Control](/rmm_tools/crosstec_remote_control),,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be a..., +[RunSmart](/rmm_tools/runsmart),,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[GotoHTTP](/rmm_tools/gotohttp),,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[SimpleHelp](/rmm_tools/simplehelp),,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[rdpwrap](/rmm_tools/rdpwrap),,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Laplink Everywhere](/rmm_tools/laplink_everywhere),,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added ..., +[Adobe Connect](/rmm_tools/adobe_connect),,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it..., +[ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., +[MioNet (WD Anywhere Access)](/rmm_tools/mionet__wd_anywhere_access_),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will ..., +[Syncthing](/rmm_tools/syncthing),,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[EMCO Remote Console](/rmm_tools/emco_remote_console),,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added..., [ServerEye](/rmm_tools/servereye),,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Anyplace Control](/rmm_tools/anyplace_control),,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as..., +[ShowMyPC](/rmm_tools/showmypc),,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Royal Server](/rmm_tools/royal_server),,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Remobo](/rmm_tools/remobo),,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Tailscale](/rmm_tools/tailscale),,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Electric AI (Kaseya)](/rmm_tools/electric_ai__kaseya_),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be adde..., +[Action1](/rmm_tools/action1),,Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute comma...,@kostastsale +[Koofr](/rmm_tools/koofr),,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Tanium](/rmm_tools/tanium),,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[MultCloud](/rmm_tools/multcloud),,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Ericom AccessNow](/rmm_tools/ericom_accessnow),,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as..., +[mRemoteNG](/rmm_tools/mremoteng),,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[eHorus](/rmm_tools/ehorus),,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[I'm InTouch](/rmm_tools/i'm_intouch),,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Comodo RMM](/rmm_tools/comodo_rmm),,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Jump Cloud](/rmm_tools/jump_cloud),,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Parallels Access](/rmm_tools/parallels_access),,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as..., +[RemotePC](/rmm_tools/remotepc),,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[AnyDesk](/rmm_tools/anydesk),RMM,AnyDesk is a popular remote desktop software that enables users to access and control a computer or ...,"Ali Alwashali, Nasreddine Bencherchali" +[RDPView](/rmm_tools/rdpview),,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Royal Apps](/rmm_tools/royal_apps),,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[TeleDesktop](/rmm_tools/teledesktop),,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[RustDesk](/rmm_tools/rustdesk),,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [Rapid7](/rmm_tools/rapid7),,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[GoToAssist (GoTo Resolve)](/rmm_tools/gotoassist__goto_resolve_),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be..., -[GetScreen](/rmm_tools/getscreen),,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [MobaXterm](/rmm_tools/mobaxterm),,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[CrossTec Remote Control](/rmm_tools/crosstec_remote_control),,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be a..., -[Absolute (Computrace)](/rmm_tools/absolute__computrace_),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be add..., -[Xshell](/rmm_tools/xshell),,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[MyGreenPC](/rmm_tools/mygreenpc),,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Sophos-Remote Management System](/rmm_tools/sophos-remote_management_system),,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information w..., [Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Microsoft Quick Assist](/rmm_tools/microsoft_quick_assist),,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be ad..., -[Manage Engine (Desktop Central)](/rmm_tools/manage_engine__desktop_central_),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information w..., +[Pcvisit](/rmm_tools/pcvisit),,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Domotz](/rmm_tools/domotz),,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., +[RemotePass](/rmm_tools/remotepass),,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Devolutions Remote Desktop Manager](/rmm_tools/devolutions_remote_desktop_manager),,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More informatio..., +[ZeroTier](/rmm_tools/zerotier),,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Zabbix Agent](/rmm_tools/zabbix_agent),,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Sorillus](/rmm_tools/sorillus),,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[247ithelp.com (ConnectWise)](/rmm_tools/247ithelp.com__connectwise_),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will ..., +[SmartCode Web VNC](/rmm_tools/smartcode_web_vnc),,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added a..., +[Visual Studio Dev Tunnel](/rmm_tools/visual_studio_dev_tunnel),,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be ..., +[LabTech RMM (Now ConnectWise Automate)](/rmm_tools/labtech_rmm__now_connectwise_automate_),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More inform..., +[Remote.it](/rmm_tools/remote.it),,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[ExtraPuTTY](/rmm_tools/extraputty),,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[N-ABLE Remote Access Software](/rmm_tools/n-able_remote_access_software),,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information wil..., +[Ivanti Remote Control](/rmm_tools/ivanti_remote_control),,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be add..., +[PDQ Connect](/rmm_tools/pdq_connect),,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[X2Go](/rmm_tools/x2go),,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[Remote Desktop Manager (Devolutions)](/rmm_tools/remote_desktop_manager__devolutions_),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More informat..., +[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[VNC Connect](/rmm_tools/vnc_connect),,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Terminals](/rmm_tools/terminals),,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Duplicati](/rmm_tools/duplicati),,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral ...,@kostastsale +[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., +[BeamYourScreen](/rmm_tools/beamyourscreen),,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as i..., +[WebRDP](/rmm_tools/webrdp),,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[QQ IM-remote assistance](/rmm_tools/qq_im-remote_assistance),,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be a..., +[NinjaRMM](/rmm_tools/ninjarmm),,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Echoware](/rmm_tools/echoware),,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[DeskDay](/rmm_tools/deskday),,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Xpra](/rmm_tools/xpra),,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[Fortra](/rmm_tools/fortra),,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Pocket Controller (Soti Xsight)](/rmm_tools/pocket_controller__soti_xsight_),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information w..., +[LANDesk](/rmm_tools/landesk),,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Netviewer](/rmm_tools/netviewer),,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Quick Assist](/rmm_tools/quick_assist),,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Xeox](/rmm_tools/xeox),,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[SysAid](/rmm_tools/sysaid),,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Itarian](/rmm_tools/itarian),,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Kabuto](/rmm_tools/kabuto),,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Remote Manipulator System](/rmm_tools/remote_manipulator_system),,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be..., +[NateOn-desktop sharing](/rmm_tools/nateon-desktop_sharing),,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., +[Lite Manager](/rmm_tools/lite_manager),,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Syspectr](/rmm_tools/syspectr),,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it beco...,